Bug: PHP Melody 1.9 CSRF vulnerabilitie ( Ascii Version )

Search:
WLB2

PHP Melody 1.9 CSRF vulnerabilitie

Published
Credit
Risk
2013.08.19
Mehdi Dadkhah
Low
CWE
CVE
Local
Remote
CWE-352
N/A ( Add )
No
Yes
 Dork: intext:"PHP Melody 1.9 powered by PHP Melody."

PHP Melody 1.9 CSRF vulnerabilitie
------------------------------------------------------------

== Description ==
- Software link: http://www.dl.seven7soft.net/script/PHPMELODY1.9.zip
- Affected versions: version 1.9 .other versions might be affected as well.
- Vulnerability discovered by: Mehdi Dadkhah(Isfahan)(Email: mehdidadkhah@live.com)
-Google Dork: intext:"PHP Melody 1.9 powered by PHP Melody."


== Vulnerabilities ==
#CSRF Address :http://site.com/admin/login.php

== Proof of concept ==
- For the CSRF Address ,we have:
#CSRF Address :http://site.com/admin/login.php
Form name: login
Form action: http://site.com/admin/login.php
Form method: POST

Form inputs:
ausername [Text]
apassword [Password]

An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF
exploit can compromise
end user data and operation in case of normal user. If the targeted end user is the administrator account, this can
compromise the entire web
application.
== Solution ==
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.

References:

http://www.dl.seven7soft.net/script/PHPMELODY1.9.zip

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version