############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: ONELAN CMS [1] # Vendor: ONELAN # CSNC ID: CSNC-2018-007 # Subject: Cross-Site Request Forgery # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 06.02.2018 # ############################################################# Introduction: ------------- The ONELAN Content Management System (CMS) software leverages more than a decade of development and industry experience to deliver users a business tool that makes creating, publishing and managing content simple and dependable. [1] Compass Security discovered a security flaw in the ONELAN CMS, which allows making logged-in users execute unintended actions. Affected: --------- Vulnerable: * CMS V3.3.0 Build 56815 Technical Description --------------------- Requests do not include Anti-CSRF tokens. Therefore, an attacker can guess entire requests. Abusing this via prepared links/forms allows them to make logged-in users execute actions unintendedly in the application. For instance, the following Proof of Concept code can be used to delete a file: Workaround / Fix: ----------------- This issue can be fixed by including a random token, which changes for each user session. If a request is received by the server, which does not include the correct token, it should be rejected by the server. Timeline: --------- 2018-05-29: Public disclosure 2018-05-28: Release of fixed version/patch 2018-02-12: Initial vendor response 2018-02-06: Initial vendor notification 2018-02-06: Discovery by Stephan Sekula References: ----------- [1] https://onelan.com/products/publisher-cms/