Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF in FROG CMS 0.9.5 #17

Open
security-breachlock opened this issue Sep 5, 2018 · 1 comment
Open

CSRF in FROG CMS 0.9.5 #17

security-breachlock opened this issue Sep 5, 2018 · 1 comment

Comments

@security-breachlock
Copy link

security-breachlock commented Sep 5, 2018
edited
Loading

Affected software: FROG CMS 0.9.5

Type of vulnerability: CSRF

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Balvinder Singh

Description: CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.
CSRF attacks target functionality that causes a state change on the server, such as changing the victim's email address or password or purchasing something. Forcing the victim to retrieve data doesn't benefit an attacker because the attacker doesn't receive the response, the victim does. As such, CSRF attacks target state-changing requests.
It's sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called "stored CSRF flaws". This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.

Proof of concept:
Step1: Login to the frog cms.
Step2: Here in the edit user settings. We can change the password, username, email of the user.
VulnerableURL: http://localhost/FrogCMS-master/FrogCMS-master/admin/?/user/edit/2
11 - frog cms - csrf - username - poc 1

Step3: Here is the crafted code which we used to execute the csrf successfully. Save this code with .html and run it on your browser. After running the below code, we will get the submit request button and clicking this button will change the title and email address of the victim.
12 - frog cms - csrf - username - poc 2

Step4: Here we successfully changed the title and email parameter using the crafted code.
13 - frog cms - csrf - username - poc 3
@security-breachlock
Copy link
Author

Hi Team,

Any updates regarding the patches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@security-breachlock