Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Typesettercms v5.0.1 - (Delete Files) CSRF Vulnerability

🗓️ 06 Oct 2016 00:00:00Reported by ZwXType 
zdt
 zdt🔗 0day.today👁 50 Views

Typesettercms v5.0.1 CSRF Vulnerability, Delete File

Code
Technical Details & Description:
================================
A cross site request forgery web vulnerability has been discovered in the official Typesettercms v5.0.1 web-application.
The issue allows remote attackers to manipulate client-side browser to web-application requests to execute service functions 
via non-expired session credentials.

The cross site request forgery vulnerability is located in the cms `file` parameter of the `extra` module POST method request.
In the absence of a security token an attacker can execute code arbitrary against administrator account to permanenly delete 
the pages of the website via panel. Due to the infrastructure the issue becomes more critical without a checkbox to confirm 
the delete of any page.

The security risk of the client-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0.
Exploitation of the non-persistent web vulnerability requires no privileged web application user account and low or medium user interaction. 
Successful exploitation of the vulnerability results in the execute of the delete function of pages without secure approval or validation.


Proof of Concept (PoC):
=======================
The csrf web vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


PoC: Exploitation
<html>
<title>Delet Pages CSRF</title>
<!-- Cross Site Request Forgery -->
<meta http-equiv="refresh" content="0">
<img src="http://localhost:8080/Admin/Extra?cmd=DeleteArea&file=[VULNERABILITY-LAB]"/>
</meta>
</html>


Domain:     www.zwx.fr
Contact:    [email protected]	
Social:     twitter.com/XSSed.fr
Feeds:      www.zwx.fr/feed/
Advisory:   www.vulnerability-lab.com/show.php?user=ZwX
            packetstormsecurity.com/files/author/12026/
            cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
            0day.today/author/27461

#  0day.today [2018-02-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Oct 2016 00:00Current
7.1High risk
Vulners AI Score7.1
typesettercmscsrfvulnerabilitydeletefilesremoteattackerssecuritynon-persistentexploitation
50