CVE-2024-36669 – This CSRF vulnerability in idccms v1.35 allows ... (How to Fix)

📋 TL;DR

This CSRF vulnerability in idccms v1.35 allows attackers to trick authenticated administrators into performing unauthorized actions via the admin/type_deal.php endpoint. Attackers can add content types or perform other administrative functions without the admin's knowledge. Only administrators with access to the admin panel are affected.

💻 Affected Systems

Products:

idccms

Versions: v1.35

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator authentication and admin panel access to exploit. The vulnerability exists in the default installation.

📦 What is this software?

Idccms by Idccms Project

View all CVEs affecting Idccms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CMS content management - attackers could add malicious content types, modify site structure, or potentially chain with other vulnerabilities for full system takeover.

🟠

Likely Case

Unauthorized content type creation leading to site defacement, SEO spam injection, or creation of backdoor access points.

🟢

If Mitigated

Limited impact with proper CSRF tokens and same-origin policies in place, though some administrative actions might still be vulnerable.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to weaponize. The provided GitHub reference shows proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

1. Check for official patch from idccms developers
2. If no patch, implement CSRF protection manually
3. Add anti-CSRF tokens to admin forms
4. Validate referer headers
5. Implement same-origin policy checks

🔧 Temporary Workarounds

Add CSRF Token Protection

all

Manually implement CSRF tokens in admin/type_deal.php and verify them on form submission

Edit admin/type_deal.php to generate and validate unique tokens per session

Restrict Admin Panel Access

all

Limit admin panel access to specific IP addresses or network segments

Add IP restrictions to .htaccess or web server configuration for /admin/ directory

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF attempts
Require re-authentication for sensitive administrative actions

🔍 How to Verify

Check if Vulnerable:

Review admin/type_deal.php source code for missing CSRF token validation in POST requests

Check Version:

Check CMS version in admin panel or readme files

Verify Fix Applied:

Test form submissions with and without valid CSRF tokens to ensure proper validation

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to admin/type_deal.php from different referers
Unauthorized content type creation in admin logs

Network Indicators:

CSRF attack payloads in HTTP requests
Suspicious referer headers in admin panel requests

SIEM Query:

source="web_logs" AND uri="/admin/type_deal.php" AND method="POST" AND (NOT referer CONTAINS "your-domain.com")

📊 Metadata

CVE ID: CVE-2024-36669

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: June 5, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/sigubbs/cms/blob/main/34/csrf.md Exploit,Third Party Advisory
https://github.com/sigubbs/cms/blob/main/34/csrf.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36669, you might also want to check these: