FuryKangaroo issues

Results 3 issues of


                                            FuryKangaroo

There are three CSRF vulnerabilities that can add pages to the website home page

After the Administrator logged in,open the following two pages. poc: fist.html add a page to the website home page and can jump to designated website. ``` history.pushState('', '', '/') ```...

There is a CSRF vulnerability that can modify website basic configuration.

1.before modification ![image](https://user-images.githubusercontent.com/42108055/43986873-0371dca4-9d4b-11e8-9748-d5cab3c55d1b.png) 2.CSRF POC ![image](https://user-images.githubusercontent.com/42108055/43986950-2f11cec2-9d4c-11e8-9adc-6e06f030b618.png) ![image](https://user-images.githubusercontent.com/42108055/43986900-81e33998-9d4b-11e8-823f-e3ce95522e0b.png) 3.after modification ![image](https://user-images.githubusercontent.com/42108055/43986965-59f5be8c-9d4c-11e8-9dd0-856b03333921.png) 4.CSRF POC [poc.txt](https://github.com/chshcms/cscms/files/2279832/poc.txt)

There is a CSRF vulnerability that creates vip members and administrators, and it can modify administrator's passwords and can also authenticateand and recommend vip members.

first: Create a member ![image](https://user-images.githubusercontent.com/42108055/43961064-886c2500-9ce6-11e8-993b-596d7fc26b3f.png) ![image](https://user-images.githubusercontent.com/42108055/43960909-1abff900-9ce6-11e8-8683-6e572ddb3fe4.png) second： authenticate vip members. ![image](https://user-images.githubusercontent.com/42108055/43961088-95891400-9ce6-11e8-94b7-9969afb14569.png) ![image](https://user-images.githubusercontent.com/42108055/43961221-e7319e80-9ce6-11e8-93ea-e1d20d0a8587.png) third: Create a super administrator and web editor. ![image](https://user-images.githubusercontent.com/42108055/43961154-c0736800-9ce6-11e8-9c6a-507bca9654cf.png) ![image](https://user-images.githubusercontent.com/42108055/43961367-59a27e80-9ce7-11e8-9f9f-5efc769634b0.png)