There is Two Cross-Site Request Forgery (CSRF) vulnerabilities in ArticleCMS allow attackers to create users and escalate privileges.

There is Two Cross-Site Request Forgery (CSRF) vulnerabilities in ArticleCMS allow attackers to create users and escalate privileges.

When the super administrator (root) logged in, there are 2 important POST methods without CSRF protection, can create a new user and promote it to administrator privileges. This can be achieved by cheating the super administrator to open the 2 pages when he logged in.
![image](https://github.com/woider/ArticleCMS/assets/129601241/9e243332-4d95-4804-af2f-bd950ea2ce93)
![image](https://github.com/woider/ArticleCMS/assets/129601241/62833237-f6d8-4d52-8e16-821ff7542633)

Set up the cms on the public network server and log in to the root user to obtain a request package for creating a user.
![image](https://github.com/woider/ArticleCMS/assets/129601241/0a3e4ce6-7c76-4331-b72a-545d5ef6e7cd)

burp intercepts the request and creates the csrf poc.
![image](https://github.com/woider/ArticleCMS/assets/129601241/08f5baa5-a516-41d9-9c33-0b72f81cd8b9)

Create the csrf page locally
![image](https://github.com/woider/ArticleCMS/assets/129601241/f1124005-e46d-4cc7-9033-d124b9f87533)

At this point in another browser, assuming that the root user logged in to the CMS and left a login information in a browser, and then click the send others CSRF link: 
http://192.168.1.26/SAFE16/articlecms_csrf.html
![image](https://github.com/woider/ArticleCMS/assets/129601241/8dff8384-9a4f-45e4-b0f4-d1b7cdce938a)
![image](https://github.com/woider/ArticleCMS/assets/129601241/7a9454a9-0c00-4a0c-a1ff-2370d2d18310)

Go to this page
![image](https://github.com/woider/ArticleCMS/assets/129601241/df520d45-d35b-4fbc-a99f-cbb8492e5ac8)

View the user management page,The ‘hacker’ user is added successfully.
![image](https://github.com/woider/ArticleCMS/assets/129601241/1239b4c2-c929-4cbe-961b-59f84706e397)

In this set of cms, the duties are divided into administrator, auditor and editor from top to bottom.Promotion requires the root user to click this button.

This is also a csrf attack similar to the operation of creating users above.
![image](https://github.com/woider/ArticleCMS/assets/129601241/1e7c6231-e89c-4b93-a9d2-6352e2b255a1)
![image](https://github.com/woider/ArticleCMS/assets/129601241/61605738-3505-403e-95e7-3cac7fe36310)
![image](https://github.com/woider/ArticleCMS/assets/129601241/9648aa75-983f-49b8-b90c-f70cc8ea8cde)
![image](https://github.com/woider/ArticleCMS/assets/129601241/38261f1b-3375-4319-bd7c-e422309dcec5)

After two promotions, hacker is promoted to administrator.
![image](https://github.com/woider/ArticleCMS/assets/129601241/69186d1a-b1a0-4e0c-8266-71837a742f3c)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

There is Two Cross-Site Request Forgery (CSRF) vulnerabilities in ArticleCMS allow attackers to create users and escalate privileges. #9

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

There is Two Cross-Site Request Forgery (CSRF) vulnerabilities in ArticleCMS allow attackers to create users and escalate privileges. #9

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions