CVE-2023-29815
📋 TL;DR
MCCMS v2.6.3 is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to trick authenticated users into performing unintended actions on the CMS. This affects all users running the vulnerable version who have administrative or user accounts. The vulnerability enables attackers to perform actions on behalf of authenticated users without their consent.
💻 Affected Systems
- MCCMS
📦 What is this software?
Mccms by Chshcms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create new admin accounts, modify content, change configurations, or delete critical data by tricking administrators into clicking malicious links.
Likely Case
Attackers could create unauthorized user accounts, modify content, or perform limited administrative actions through social engineering.
If Mitigated
With proper CSRF protections, requests would require valid tokens, preventing unauthorized actions even if users click malicious links.
🎯 Exploit Status
Exploitation requires the victim to be authenticated and to interact with a malicious page/link. The GitHub issue shows proof of concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.4 or later
Vendor Advisory: https://github.com/chshcms/mccms/issues/3
Restart Required: No
Instructions:
1. Download the latest version from the official repository. 2. Backup your current installation. 3. Replace vulnerable files with patched versions. 4. Verify CSRF tokens are now properly implemented.
🔧 Temporary Workarounds
Implement CSRF Protection Middleware
allAdd custom CSRF token validation to all state-changing endpoints
Implement token generation and validation in your application code
Use SameSite Cookies
allConfigure session cookies with SameSite=Strict attribute
Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block CSRF attempts
- Require re-authentication for sensitive operations and implement additional confirmation steps
🔍 How to Verify
Check if Vulnerable:
Check if MCCMS version is 2.6.3 by examining the version file or admin panel. Test if state-changing endpoints accept requests without CSRF tokens.Check Version:
Check the version.txt file or admin panel version displayVerify Fix Applied:
Verify the version is 2.6.4 or later. Test that all POST/PUT/DELETE requests require valid CSRF tokens.📡 Detection & Monitoring
Log Indicators:
- Multiple failed state-changing requests from same IP
- Unusual admin actions from unexpected user agents
Network Indicators:
- HTTP requests with Referer headers pointing to external domains
- State-changing requests without CSRF tokens
SIEM Query:
web_requests WHERE (method IN ('POST', 'PUT', 'DELETE')) AND (csrf_token IS NULL OR csrf_token INVALID) AND (user_authenticated = true)