Description:
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who is currently authenticated with a web application to execute an unwanted action. The attacker can trick the user into loading a page which may send a request to perform the unwanted action in the background. In the case of FlatCore, we can use CSRF to perform actions on the admin dashboard by targeting an administrator.
Exploit:
We assume that FlatCore is installed at http://localhost/. Our target is acp/acp.php?tn=user&sub=new&edituser= which is the page used to create a new user. The given POC will create a user on the website which has full administrator privileges.
Before running the POC, make sure you are logged in into an administrator account. Then open the HTML file and submit the form. The new user with admin rights should now have been created.
Impact: Compromises the entire web application and user data Mitigation: Use of CSRF tokens
Creation of a user account was just an example. Other pages/settings in the admin dashboard are also vulnerable to CSRF. For example, the Global Headers (HTML) features can be misused to inject JS into the website.
The text was updated successfully, but these errors were encountered:
Exploit Title: CSRF Privilege Escalation (Creation of an administrator account) on FlatCore v1.4.6
Date: 08-April-2017
Exploit Author: @shardulm94
Software Link: https://github.com/flatCore/flatCore-CMS/archive/v1.4.6.zip
Version: 1.4.6
Description:
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who is currently authenticated with a web application to execute an unwanted action. The attacker can trick the user into loading a page which may send a request to perform the unwanted action in the background. In the case of FlatCore, we can use CSRF to perform actions on the admin dashboard by targeting an administrator.
Exploit:
We assume that FlatCore is installed at
http://localhost/. Our target isacp/acp.php?tn=user&sub=new&edituser=which is the page used to create a new user. The given POC will create a user on the website which has full administrator privileges.Before running the POC, make sure you are logged in into an administrator account. Then open the HTML file and submit the form. The new user with admin rights should now have been created.
References:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)
Screenshots:

Before the exploit
Exploit Page

After submitting the form

New user added


With admin access
Impact: Compromises the entire web application and user data
Mitigation: Use of CSRF tokens
Creation of a user account was just an example. Other pages/settings in the admin dashboard are also vulnerable to CSRF. For example, the Global Headers (HTML) features can be misused to inject JS into the website.
The text was updated successfully, but these errors were encountered: