In the latest version of SiberianCMS, there is a massive lack of AntiCSRF tokens on the system administration site. Due to this, a malicious attacker can formulate a HTML page that, once accessed by a logged in administrator, will update their SiberianCMS installation to include an XSS payload as the application name, and register user cookies silently. Essentially, a malicious actor can take over an administrator account, simply by having them access their webpage.
Steps to verify existence of vulnerability.
Go into http://localhost/system/backoffice_config_general
Set "platform name" to be "><script>alert(1);</script> and save
Verify the lack of CSRF token in the "save" request for the back-office settings (this is what allows for the attacker to make the admin update their settings, without them realizing).
Steps to reproduce from victim perspective.
Click link sent to you by the attacker.
Try to access your application's login / main page.
Now your session can have been secretly stolen by the attacker.
Steps to reproduce from attacker perspective
Send a link that hosts your malicious HTML site to the logged in administrator.
Listen locally for the administrators cookies.
Set cookies in browser and take over admin session
Easy fix:
Disallow HTML Event Handlers in all fields on the back office general settings, along with script tags. Furthermore, the implementation of Anti-CSRF tokens should be pursued.
For more information, feel free to reply to this thread.
Summary
In the latest version of SiberianCMS, there is a massive lack of AntiCSRF tokens on the system administration site. Due to this, a malicious attacker can formulate a HTML page that, once accessed by a logged in administrator, will update their SiberianCMS installation to include an XSS payload as the application name, and register user cookies silently. Essentially, a malicious actor can take over an administrator account, simply by having them access their webpage.
Steps to verify existence of vulnerability.
http://localhost/system/backoffice_config_general
"><script>alert(1);</script>
and saveSteps to reproduce from victim perspective.
Steps to reproduce from attacker perspective
Easy fix:
Disallow HTML Event Handlers in all fields on the back office general settings, along with script tags. Furthermore, the implementation of Anti-CSRF tokens should be pursued.
For more information, feel free to reply to this thread.