CMSsite Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in CMSsite version 1.0. This vulnerability allows attackers to perform unauthorized administrative actions by creating malicious HTML forms. Exploitation involves tricking authenticated administrators into visiting these crafted pages, which then submit POST requests to the users.php endpoint. The requests can include parameters such as source=add_user, source=edit_user, or del=1, enabling the creation, modification, or deletion of admin accounts.

Impact

Exploitation of this vulnerability allows for unauthorized administrative actions, including the creation, modification, and deletion of admin accounts.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious HTML form that submits a POST request to the users.php endpoint with the desired action parameter (add_user, edit_user, or del=1). This form can then be presented to an authenticated administrator, who, upon submission, will unintentionally perform the specified action on the admin account.