Pligg Auto-Voter Using XSS to Bypass CSRF Protection

2008.08.13
Credit: michaelbrooks
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Explanation: Pligg Suffers from a Reflective Cross Site Scripting vulnerability in index.php. Forthe $_GET['category'] variable. Exploit code was written that uses this flaw tobypass the CSRF protection to then vote on any pligg article of the attackerschoosing. I took inspiration from the Myspace Sammy worm utilizing XMLHttpRequest() to read the randomly generated token protection requests from forgery. This is amore serious attack when combined with my Captcha Implementation Bypass(http://www.rooksecurity.com/blog/?p=17) which allows an attacker to create new useraccounts.

References:

http://xforce.iss.net/xforce/xfdb/44189
http://www.securityfocus.com/bid/30516
http://www.rooksecurity.com/blog/?p=19
http://marc.info/?l=bugtraq&m=121769609623356&w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top