RiteCMS Cross-Site Request Forgery Vulnerability Allowing Arbitrary Page Creation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in RiteCMS version 3.1.0. This vulnerability allows attackers to create pages arbitrarily by sending a crafted POST request. The issue arises because the application does not validate CSRF tokens for page creation or editing requests, enabling exploitation with the victim's session.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can perform actions on behalf of a user. In this case, it can lead to arbitrary page creation, which could be used to inject malicious content. Additionally, according to Michal Biesiada, this vulnerability can be chained with another CSRF vector to achieve Remote Code Execution, forming an attack chain.

Reproduction

To reproduce this vulnerability, an authenticated user (admin or user/editor) must be tricked into visiting an attacker-controlled webpage or clicking a crafted link. The attacker page can automatically submit a POST request to 'admin.php?mode=edit&id=<id>' with the necessary parameters to create or update a page. Since the application lacks proper CSRF token validation, the request is processed with the user's session, resulting in the creation of a page that could contain malicious payloads.