Exploits / Vulnerability Discovered : 2018-08-07 |
Type : webapps |
Platform : php
This exploit / vulnerability Monstradev 3.0.4 crosssite request forgery (account hijacking) is for educational purposes only and if it is used you will do on your own risk!
# 1. Description
# CSRF vulnerability in admin/user/edit in Monstra-dev 3.0.4 allows an attacker
# to take over a user account by modifying user's data such as email and password
# 2. Exploit and Proof of Concept
# To exploit this vulnerability, victim need to be logged in at target site namely
# victim.com and visit crafted site made by attacker namely attacker.com.
# Then an authenticated POST request will be generated from victim browser and it will
# be submit to victim.com to modify user's data to attacker desired value.