CVE-2024-39153
📋 TL;DR
CVE-2024-39153 is a Cross-Site Request Forgery vulnerability in idccms v1.35 that allows attackers to trick authenticated administrators into performing unauthorized actions via the /admin/info_deal.php endpoint. This affects all deployments of idccms v1.35 with administrative interfaces accessible to users.
💻 Affected Systems
- idccms
📦 What is this software?
Idccms by Idccms
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete news content or potentially perform other administrative actions by tricking an authenticated admin into clicking a malicious link, leading to data loss or content manipulation.
Likely Case
Attackers create phishing campaigns targeting administrators to delete news content or perform limited administrative actions through forged requests.
If Mitigated
With proper CSRF protections and admin awareness, the risk is reduced to minimal as legitimate requests require admin interaction with malicious content.
🎯 Exploit Status
Exploitation requires the victim to be authenticated as an administrator and to interact with malicious content. Public proof-of-concept demonstrates the CSRF attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available, implementing CSRF tokens, or applying workarounds.
🔧 Temporary Workarounds
Implement CSRF Token Protection
allAdd CSRF tokens to all administrative forms and validate them on the server side.
Modify /admin/info_deal.php to include and validate CSRF tokens in requests
Restrict Admin Interface Access
allLimit access to the administrative interface to trusted IP addresses only.
Add IP-based restrictions in .htaccess or web server configuration for /admin/ directory
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and require re-authentication for sensitive actions
- Educate administrators about phishing risks and implement security awareness training
🔍 How to Verify
Check if Vulnerable:
Check if the /admin/info_deal.php endpoint accepts POST requests without CSRF token validation when mudi=del parameters are used.Check Version:
Check CMS version in admin panel or look for version indicators in source codeVerify Fix Applied:
Verify that all administrative forms include and validate unique CSRF tokens for each session.📡 Detection & Monitoring
Log Indicators:
- Multiple DELETE requests to /admin/info_deal.php from same session without corresponding form submissions
- Admin actions occurring without typical user interaction patterns
Network Indicators:
- HTTP requests to /admin/info_deal.php with mudi=del parameters originating from unexpected referrers
SIEM Query:
source="web_logs" AND uri="/admin/info_deal.php" AND query="mudi=del" | stats count by src_ip, user_agent