Exploits / Vulnerability Discovered : 2018-04-02 |
Type : webapps |
Platform : php
This exploit / vulnerability Frog cms 0.9.5 crosssite request forgery (add user) is for educational purposes only and if it is used you will do on your own risk!
The application source code is coded in a way which allows malicious HTML
request to be executed without veryifying source of request.This leads to
arbitary execution with malicous request which will lead to the creation of
a privileged user.
2. Proof of Concept
Visit the application
Visit the Add Users Page.
Craft an html page with all the details for an admin user creation
and host it on a server
Upon the link being clicked by a logged in admin user, immidiately,
another admin user will get created.