Сross-Site Request Forgery (CSRF) in XCloner Standalone
|Vulnerable Versions:||3.5 and probably prior|
|Advisory Publication:||March 14, 2014 [without technical details]|
|Vendor Notification:||March 14, 2014|
|Public Disclosure:||April 9, 2014|
|Vulnerability Type:||Cross-Site Request Forgery [CWE-352]|
|CVSSv2 Base Score:||7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered vulnerability in XCloner Standalone, which can be exploited to perform Сross-Site Request Forgery (CSRF) attacks and gain complete control over the website.
- 6 notifications by email
- 4 notifications via contact form
- 1 notification via twitter.
Currently we are not aware of any official solution for this vulnerability. As a temporary solution it is recommended to remove the vulnerable script or restrict access to it via WAF of .htaccess.
| High-Tech Bridge Advisory HTB23207 - https://www.htbridge.com/advisory/HTB23207 - Сross-Site Request Forgery (CSRF) in XCloner Standalone.|
 XCloner Standalone - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.