Pligg Auto-Voter Using XSS to Bypass CSRF Protection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Pligg Auto-Voter Using XSS to Bypass CSRF Protection
From: michaelbrooks@xxxxxxxxxxxxxxxx
Date: Fri, 1 Aug 2008 18:04:40 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Explanation:
Pligg Suffers from a Reflective Cross Site Scripting vulnerability in 
index.php. For the $_GET['category'] variable.   Exploit code was written that 
uses this flaw to bypass the CSRF protection to then vote on any pligg article 
of the attackers choosing. I took inspiration from the Myspace Sammy worm 
utilizing XMLHttpRequest()  to read the randomly generated token protection 
requests from forgery.   This is a more serious attack when combined with my 
Captcha Implementation Bypass (http://www.rooksecurity.com/blog/?p=17)  which 
allows an attacker to create new user accounts.

Prev by Date: iDefense Security Advisory 08.01.08: Ingres Database for Linux ingvalidpw Untrusted Library Path Vulnerability
Next by Date: Homes 4 Sale Remote XSS Vulnerabilitiy
Previous by thread: iDefense Security Advisory 08.01.08: Ingres Database for Linux ingvalidpw Untrusted Library Path Vulnerability
Next by thread: Homes 4 Sale Remote XSS Vulnerabilitiy
Index(es):
- Date
- Thread