CVE-2022-29647
📋 TL;DR
This CSRF vulnerability in MCMS 5.2.7 allows attackers to create unauthorized administrator accounts by tricking authenticated users into visiting malicious web pages. It affects all MCMS 5.2.7 installations with the vulnerable endpoint exposed. Attackers can gain administrative control of the content management system.
💻 Affected Systems
- MCMS
📦 What is this software?
Mcms by Mingsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the MCMS instance with attacker creating persistent admin accounts, leading to data theft, defacement, or further system compromise.
Likely Case
Unauthorized admin account creation allowing content manipulation, user data access, and potential privilege escalation within the application.
If Mitigated
Limited impact with proper CSRF protections and access controls preventing successful exploitation.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users but is technically simple with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Implement CSRF Protection
allAdd CSRF tokens to the vulnerable endpoint ms/basic/manager/save.do and validate them on the server side.
Restrict Access to Admin Endpoints
allConfigure web server or application firewall to restrict access to ms/basic/manager/save.do endpoint to trusted IP addresses only.
🧯 If You Can't Patch
- Implement strict access controls and network segmentation to limit exposure of the MCMS admin interface.
- Deploy a web application firewall with CSRF protection rules and monitor for suspicious admin account creation attempts.
🔍 How to Verify
Check if Vulnerable:
Check if MCMS version is 5.2.7 and the endpoint ms/basic/manager/save.do is accessible without CSRF protection.Check Version:
Check MCMS configuration files or admin interface for version information.Verify Fix Applied:
Test that CSRF tokens are required and validated for the save.do endpoint, and unauthorized admin creation attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unexpected admin account creation events
- Multiple failed login attempts followed by successful admin creation
- Access to ms/basic/manager/save.do from unusual IP addresses
Network Indicators:
- HTTP POST requests to ms/basic/manager/save.do without proper referrer headers or CSRF tokens
- Traffic patterns showing admin interface access from unexpected sources
SIEM Query:
source="web_logs" AND (url="*/ms/basic/manager/save.do" OR event="admin_account_created") AND NOT user="authorized_admin"