bg5sbk MiniCMS Unauthorized Page Deletion Vulnerability in File Recovery Request Handler

A vulnerability allowing unauthorized page deletion has been identified in bg5sbk MiniCMS versions through 1.8. The issue resides in the File Recovery Request Handler, specifically within the delete_page function of the /minicms/mc-admin/page.php file. This vulnerability stems from a lack of proper authentication checks, enabling remote attackers to delete published pages without any authentication. Exploitation involves sending a deletion request with a crafted mc_token Cookie, bypassing authentication requirements.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of website pages, which can disrupt content availability and functionality. Such actions may lead to significant user experience issues and damage the website's credibility. The removal of essential business pages could cause service disruptions and financial losses. Additionally, this vulnerability could be used to manipulate website data or inject malicious code, further exacerbating the damage. Recovery from such deletions can be resource-intensive and may result in permanent data loss.

Reproduction

To reproduce this vulnerability, access the backend of the MiniCMS application and navigate to the File Recovery Request page. Once there, initiate a file recovery request and capture the outgoing data packet. Remove the original cookie field and replace it with a deletion request that includes the mc_token Cookie. Send the modified packet to delete the targeted page, which will be moved to the Recycle Bin, demonstrating the vulnerability by successfully removing a page without proper authorization.

Remediation

It is recommended to upgrade to the latest stable version of MiniCMS, as the current version 1.8 is vulnerable. Additionally, implement permission verification checks before allowing page deletions, validate the mc_token Cookie, and consider changing the request method to POST with CSRF token verification to prevent unauthorized deletion requests.