AdaptCMS 2.0.4 CRF Non-Vulnerability posted December 15

One of the things you have to do (to be a somewhat decent web developer) as someone who makes CMS's is, essentially to search time to time to see if someone has broken or attacked your software. This has happened in the past with AdaptCMS (it happens with every software in existence, see - Windows) and we are very quick to fix these bugs or security holes.

I searched several times for the most recent version, 2.0.4, but found nothing until today. Posted on a few sites, including 1337day (a good site in the past, for CMS exploits) which has posted an AdaptCMS 2.0.4 CSRF Vulnerability. Here's the link to it below:

Check it Out

Looking at the code, I initially thought that this was a security hole - however I cannot reproduce what this alleged "Vulnerability" is clearly trying to allege. Essentially it is a self-submitting form with hidden values containing username, password, email and group to a target site with the correct URL as if you were adding a user in the admin area yourself. In principle, it makes sense.

The problem is, the system stops this. I tested this live, but if I am mis-understanding the purpose of the code - any group out there, please tell me. (dealing with numerous hackers in the past, I ask to please contact me, don't prove your point by doing a DDOS attack or something) As it is right now, you first must have a cookie on the site and a session matching the user credintials in the database of an admin to access that url - no matter where it is.

In the main configuration, before anything is rendered, this check is done. Testing it live myself, I was re-directed to the login page and after checking my database, no records inserted.

Take this post as an open question to any group that posted this attack, if I made a mistake I do want to fix it immediately. But secondly, to users of AdaptCMS or those that might be interested - until further notice, I consider this reported attack to be false.

Thank you.

Sincerely,

Charlie Page

Back to News Archive »

Comments