CVE-2023-6768
📋 TL;DR
CVE-2023-6768 is an authentication bypass vulnerability in Amazing Little Poll that allows unauthenticated attackers to access the admin panel without credentials by manipulating the 'lp_admin.php?adminstep=' parameter. This affects all installations running versions 1.3 and 1.4 of the software. Attackers could gain administrative control over poll management functions.
💻 Affected Systems
- Amazing Little Poll
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the poll application allowing attackers to modify, delete, or create polls, potentially defacing websites or manipulating poll results for malicious purposes.
Likely Case
Unauthorized access to admin panel leading to poll manipulation, data exposure, or disruption of poll functionality.
If Mitigated
Limited impact if application is isolated with proper network segmentation and minimal privileges.
🎯 Exploit Status
Exploitation requires only a web browser or simple HTTP request to the vulnerable parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.5 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amazing-little-poll
Restart Required: No
Instructions:
1. Download latest version from official source. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Verify admin authentication works correctly.
🔧 Temporary Workarounds
Access Restriction via Web Server
allBlock access to lp_admin.php file using web server configuration
# Apache: <Files "lp_admin.php"> Require all denied </Files>
# Nginx: location ~ /lp_admin\.php$ { deny all; }
Parameter Validation
allAdd authentication check at beginning of lp_admin.php file
<?php
session_start();
if (!isset($_SESSION['admin_logged_in']) || $_SESSION['admin_logged_in'] !== true) {
header('HTTP/1.0 403 Forbidden');
exit('Access denied');
}
?>
🧯 If You Can't Patch
- Remove or disable the Amazing Little Poll application entirely
- Implement network-level access controls to restrict access to the application from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Access http://[your-domain]/lp_admin.php?adminstep=1 without authentication. If admin panel loads, system is vulnerable.Check Version:
Check version number in poll configuration file or footer of poll pagesVerify Fix Applied:
Attempt same access method - should receive authentication prompt or access denied message.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to lp_admin.php without preceding authentication requests
- Multiple failed authentication attempts followed by successful lp_admin.php access
Network Indicators:
- HTTP GET requests to /lp_admin.php with adminstep parameter from unauthenticated sources
SIEM Query:
source="web_logs" AND uri="/lp_admin.php" AND query_string="*adminstep=*" AND NOT (user_agent="*bot*" OR user_agent="*crawler*")