CSRF can be chained with XSS to perform a one click account takeover.

[SecGus]

Summary

In the latest version of SiberianCMS, there is a massive lack of AntiCSRF tokens on the system administration site. Due to this, a malicious attacker can formulate a HTML page that, once accessed by a logged in administrator, will update their SiberianCMS installation to include an XSS payload as the application name, and register user cookies silently. Essentially, a malicious actor can take over an administrator account, simply by having them access their webpage.

Steps to verify existence of vulnerability.

1. Go into http://localhost/system/backoffice_config_general
2. Set "platform name" to be "><script>alert(1);</script> and save
3. Access the main login that users would access (http://localhost/admin/account/login) to trigger the injected JS.
4. Verify the lack of CSRF token in the "save" request for the back-office settings (this is what allows for the attacker to make the admin update their settings, without them realizing).

Steps to reproduce from victim perspective.

1. Click link sent to you by the attacker.
2. Try to access your application's login / main page.
3. Now your session can have been secretly stolen by the attacker.

Steps to reproduce from attacker perspective

1. Send a link that hosts your malicious HTML site to the logged in administrator.
2. Listen locally for the administrators cookies.
3. Set cookies in browser and take over admin session

Easy fix:

Disallow HTML Event Handlers in all fields on the back office general settings, along with script tags. Furthermore, the implementation of Anti-CSRF tokens should be pursued.

For more information, feel free to reply to this thread.

[SiberianCMS]

Thanks team will check.