PHP Melody 1.9 CSRF vulnerabilitie

2013.08.19
Credit: Mehdi Dadkhah
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

PHP Melody 1.9 CSRF vulnerabilitie ------------------------------------------------------------ == Description == - Software link: http://www.dl.seven7soft.net/script/PHPMELODY1.9.zip - Affected versions: version 1.9 .other versions might be affected as well. - Vulnerability discovered by: Mehdi Dadkhah(Isfahan)(Email: mehdidadkhah@live.com) -Google Dork: intext:"PHP Melody 1.9 powered by PHP Melody." == Vulnerabilities == #CSRF Address :http://site.com/admin/login.php == Proof of concept == - For the CSRF Address ,we have: #CSRF Address :http://site.com/admin/login.php Form name: login Form action: http://site.com/admin/login.php Form method: POST Form inputs: ausername [Text] apassword [Password] An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. == Solution == Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.

References:

http://www.dl.seven7soft.net/script/PHPMELODY1.9.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top