vendor:
N-13 News
by:
anT!-Tr0J4n
8.8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: N-13 News
Affected Version From: 3.4
Affected Version To: 3.4
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP sp3
2010
N-13 News 3.4 Remote Admin Add CSRF Exploit
This exploit allows an attacker to create a malicious web page that, when visited by an authenticated user, will create a new admin account with the username 'admin' and the password 'admin'. The malicious web page contains two forms, one that creates the new admin account and another that sends a GET request to the main.php file. The exploit is possible due to the lack of CSRF protection in the N-13 News 3.4 application.
Mitigation:
Implement CSRF protection on all web applications.