Found that, concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities
In this vulnerability attacker can craft CSRF Exploit page and host somewhere, and this link will be sent to Victim who is already logged in to Concrete5 CMS, once victim click on this link Attacker can,
- Modify SMTP Settings
- Modify Mail Importers Settings
- Delete Form Results
Exploit code has been published on exploit-db , Interesting thing is we can delete form results, but for that Attacker must be able to get hold of "qsID" Parameter which can be found at below URL :
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/
Once attacker gets "qSID" values, its game of minute to create CSRF page.
Delete Form :
Below is "qSID" value which is static throughout CMS, now you can craft this link in HTML page and send it to Victim, and Form results will be deleted!!!! This is just for informational purpose and not for destructive, but a POC of how attacker can maliciously think!!!
Exploit has been release publicly at exploit-db
EDB-ID: 26077
No comments:
Post a Comment