ContaoCMS (fka TYPOlight) 2.11 CSRF (Delete Admin- Delete Article)

Posted on lunedì 27 febbraio 2012 by Ivano Binetti

ContaoCMS (fka TYPOlight) 2.11 version (and lower) in affected by a CSRF vulnerability which allows to delete administrator/users, delete article, news, newsletter and so on.
I've created an Advisory describing this vulnerability and the methods to exploit it:
ContaoCMS Ivano Binetti's Advisory

There are other web sites which have reported my security Advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1297
http://osvdb.org/show/osvdb/79635
http://packetstormsecurity.org/files/110214/ContaoCMS-2.11.0-Cross-Site-Request-Forgery.html
http://www.exploit-db.com/exploits/18527/
http://secunia.com/advisories/48180/
http://www.securelist.com/en/advisories/48180
http://xforce.iss.net/xforce/xfdb/73479
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1297
https://bugs.launchpad.net/bugs/cve/2012-1297
http://cxsecurity.com/cveshow/CVE-2012-1297/

0 Responses to "ContaoCMS (fka TYPOlight) 2.11 CSRF (Delete Admin- Delete Article)":