MuraCMS Trash Restore Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in MuraCMS versions through 10.1.10, allowing attackers to restore deleted content from the trash to unauthorized locations. The vulnerability arises because the cTrash.restore function does not validate CSRF tokens, enabling malicious websites to forge requests that restore content to arbitrary parent locations when an authenticated administrator visits the crafted webpage. Exploitation of this vulnerability could result in the unauthorized restoration of deleted content to inappropriate or malicious locations within the MuraCMS website structure.

Impact

Successful exploitation allows for the unauthorized restoration of deleted content, which could include sensitive documents or outdated content that was removed for security or compliance reasons, to potentially harmful locations within the website structure.

Reproduction

To reproduce this vulnerability, an authenticated administrator must be tricked into visiting a malicious webpage that contains the CSRF exploit. This page can be crafted to automatically submit a hidden form that restores specific content from the trash to a location chosen by the attacker, using the parentid parameter. This exploitation takes advantage of the lack of CSRF token validation in the cTrash.restore function.

Remediation

Users can update to MuraCMS version 10.1.10 or later, where this vulnerability has been addressed.