Posts

Showing posts from February, 2018

CSRF on Change Password

Image
The application is vulnerable to CSRF attack. URL : https://subrion.org/ Affected Application Version: Subrion CMS 4.1.5 The attacker can change the administrator password by sending a crafted request to the application on change password field. The application is not validating the source origin of the request is coming from also CSRF token is not implemented. Proof of concept as given below Crafted Code of Change Password of Administrator User. Crafted Request to Change the Password of Administrator. After Submitting the Request Password is Changed Successfully   Recommendation: ·   Apply CSRF tokens also known as X-XSRF tokens. Just applying CSRF tokens cannot fix the CSRF vulnerability. Make sure there is proper implementation of CSRF tokens as per the following rules. Apply request-based CSRF tokens instead of session-based CSRF tokens. Make sure, CSRF token leakage is not possible on the application. As the attacker might use leaked/unused CSRF token...
Image
I have found Reflected Cross-Site Scripting on WolfCMS (0.8.3.1) Stable Version Vulnerable parameter is "Create New File" and "Create New Directory" It does not sanitize "Create New File" and "Create New Directory" input box from 'files' Tab and it is possible to execute a Cross-Site Scripting XSS attacks. Payload Used : <script>alert(0);</script> Please find the attached screenshot for proof of concept. Additional information Wolf CMS version: 0.8.3.1 DB type and version: MySQL - 10.1.9-MariaDB HTTP server type and version: PHP/5.6.15 When you fix the bug, please, can you include my name in the release notes when the bug will be corrected?  Name : Tushar  Kadam Email  : kadatushar@gmail.com