Pligg Auto-Voter Using XSS to Bypass CSRF Protection

2008.08.13

Credit: michaelbrooks

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2008-3572

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Explanation:
Pligg Suffers from a Reflective Cross Site Scripting vulnerability in index.php. Forthe $_GET['category'] variable. Exploit code was written that uses this flaw tobypass the CSRF protection to then vote on any pligg article of the attackerschoosing. I took inspiration from the Myspace Sammy worm utilizing XMLHttpRequest() to read the randomly generated token protection requests from forgery. This is amore serious attack when combined with my Captcha Implementation Bypass(http://www.rooksecurity.com/blog/?p=17) which allows an attacker to create new useraccounts.

References:

http://xforce.iss.net/xforce/xfdb/44189

http://www.securityfocus.com/bid/30516

http://www.rooksecurity.com/blog/?p=19

http://marc.info/?l=bugtraq&m=121769609623356&w=2

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Pligg Auto-Voter Using XSS to Bypass CSRF Protection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.