CVE-2016-10756

Vulnerability

Kliqqi version 3.0.0.5 contains a cross-site request forgery (CSRF) vulnerability in the upload module. The module.php?module=upload endpoint can be abused to configure the upload of arbitrary .php files. This setting is then used by modules/upload/upload_main.php to perform the actual file upload. No authentication token or CSRF protection is present on these endpoints, making the attack feasible without the victim's consent. [1]

Exploitation

An attacker can craft a malicious web page or email that, when visited by an authenticated Kliqqi administrator, triggers a series of forged requests. The victim's browser automatically sends the attacker's requests, including the victim's session cookies, to the Kliqqi site. First, the attacker forces the administrator to access module.php?module=upload with parameters that permit .php file uploads. Then, a second request to upload_main.php uploads a malicious .php web shell or script. The attacker only needs the victim to be logged in and to click a link or view a crafted page. [1]

Impact

Successful exploitation allows the attacker to upload arbitrary .php files to the server, leading to remote code execution (RCE) under the privileges of the web server. The attacker can then fully compromise the Kliqqi installation, including reading, modifying, or deleting any data accessible to the web server, and potentially pivoting to other systems on the network. [1]

Mitigation

An official fix for Kliqqi 3.0.0.5 has not been released; the vendor appears to no longer maintain the software. As of the publication date (2019-05-24), no patch is available. Administrators should consider migrating to an alternative voting or content management system. As a workaround, implementing CSRF tokens via a web application firewall (WAF) or custom code changes could reduce risk, but no supported mitigation is documented in the available references. [1]