Fuel CMS 1.5.0 – Cross-Site Request Forgery (CSRF)

Exploit Database
36 阅读

作者： Ali J

日期： 2022-04-19
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/50884/

# Exploit Title: Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)# Google Dork: NA
# Date: 11/03/2022
# Exploit Author: Ali J
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.5.0
# Version: 1.5.0
# Tested on: Windows 10

Steps to Reproduce:
1. Login with user 1 and navigate to localhost/FUEL-CMS/fuel/sitevariables
2. Select any variable, click on delete button and select "yes, delete it". Intercept this request and generate a CSRF POC for this. After that drop the request.
3. Login with user 2 in a seperate browser and execute the CSRF POC. 
4. Observe that the site variable has been deleted. To confirm, login with user 1 again and observe that the variable has been deleted from site variables.

last Exploits
Fuel CMS 1.5.0 – Cross-Site Request Forgery (CSRF)的更多信息

SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response：
Concrete CMS < 5.5.21 - Multiple Vulnerabilities：
VMware View Portal 3.1 – Cross-Site Scripting：
vBulletin 4.1.7 – Multiple Remote File Inclusions：
Amateur Photographer’s Image Gallery – ‘fullscreen.php?albumid’ SQL Injection：
Synology DSM 4.3-3827 – ‘article.php’ Blind SQL Injection：
mooSocial 3.1.8 – Reflected XSS：
Food Ordering Script 1.0 – SQL Injection：