CVE-2018-17366
📋 TL;DR
This CSRF vulnerability in MCMS 4.6.5 allows attackers to create unauthorized administrator accounts by tricking authenticated users into visiting malicious web pages. It affects all MCMS installations running version 4.6.5 that have the administrator interface exposed. Attackers can gain full administrative control of the CMS without needing credentials.
💻 Affected Systems
- MCMS (MingSoft Content Management System)
📦 What is this software?
Mcms by Mingsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the CMS with attacker creating persistent admin accounts, defacing websites, stealing data, and deploying malware to visitors.
Likely Case
Attackers create hidden admin accounts to maintain persistent access, modify content, or install backdoors for future exploitation.
If Mitigated
With proper CSRF protections and network segmentation, impact is limited to unauthorized account creation attempts that can be detected and remediated.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator to visit a malicious page. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.6 or later
Vendor Advisory: https://gitee.com/mingSoft/MCMS/issues/IM1DA
Restart Required: No
Instructions:
1. Backup current installation. 2. Download MCMS 4.6.6 or later from official repository. 3. Replace affected files. 4. Verify CSRF tokens are implemented in ms/basic/manager/save.do endpoint.
🔧 Temporary Workarounds
CSRF Protection Implementation
allManually add CSRF token validation to the vulnerable endpoint
Implement anti-CSRF tokens in ms/basic/manager/save.do controller
Access Restriction
allRestrict access to administrator interface to trusted IP addresses only
Configure firewall/ACL to limit access to /ms/basic/manager/* paths
🧯 If You Can't Patch
- Implement web application firewall with CSRF protection rules
- Monitor administrator account creation logs and set alerts for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if MCMS version is 4.6.5 and examine ms/basic/manager/save.do endpoint for CSRF token validationCheck Version:
Check MCMS version in admin panel or examine version files in installation directoryVerify Fix Applied:
Test that ms/basic/manager/save.do endpoint now requires valid CSRF token and verify version is 4.6.6+📡 Detection & Monitoring
Log Indicators:
- Unexpected administrator account creation
- Multiple failed login attempts followed by account creation
- POST requests to /ms/basic/manager/save.do without referrer headers
Network Indicators:
- Unusual traffic patterns to administrator endpoints
- Requests from unexpected sources to account creation endpoints
SIEM Query:
source="web_logs" AND (uri="/ms/basic/manager/save.do" AND method="POST") AND NOT (referrer CONTAINS "expected-domain")