CVE-2018-19561

Vulnerability

sikcms version 1.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the administrative user creation endpoint accessible at admin.php?m=Admin&c=Users&a=userAdd. The application does not implement any anti-CSRF tokens or other request validation mechanisms for this action, allowing an attacker to craft a malicious HTML form that, when submitted by an authenticated administrator, will create a new administrator account with attacker-controlled credentials [1].

Exploitation

An attacker must trick an already authenticated sikcms administrator into visiting a malicious page (e.g., via a phishing email or by hosting the exploit on a site the admin visits). The attacker's page contains an HTML form that auto-submits a POST request to the vulnerable endpoint, including parameters such as roleid, username, password, repassword, realname, email, and verify. The form may also use a history.pushState call to hide the referrer. No user interaction beyond landing on the page is required if the form auto-submits [1].

Impact

Successful exploitation allows an attacker to add an arbitrary administrator account to the sikcms backend. Once the account is created, the attacker can log in with the chosen credentials and gain full administrative control over the CMS, leading to complete compromise of confidentiality, integrity, and availability of the application and its data [1].

Mitigation

As of the publication date (2018-11-26), no patch or fixed version had been released; the vendor repository does not indicate a subsequent fix. Mitigation requires manual implementation of CSRF protections such as adding a unique token validated on each state-changing request or checking the HTTP Origin/Referer header. Administrators should avoid clicking untrusted links while logged into the admin panel [1].