vendor:
Who's Who Script
by:
ZoRLu
8,8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Who's Who Script
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2014
Who’s Who Script CSRF Exploit (Add Admin Account)
This exploit allows an attacker to add an admin account to the Who's Who Script by exploiting the CSRF vulnerability present in the ayarsave.php, uyesave.php, slaytadd.php, and slaytsave.php files. The attacker can craft a malicious HTML page that contains a form with the username and password fields and submit it to the vulnerable file. The form will be automatically submitted without the user's knowledge, and the attacker will be able to add an admin account to the Who's Who Script.
Mitigation:
The application should use a random token in the form that is checked on the server side to prevent CSRF attacks.
