PHP Melody 1.9 CSRF vulnerabilitie

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044569 漏洞类型
发布时间 2013-08-19 更新时间 2013-08-19
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013080148
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
PHP Melody 1.9   CSRF  vulnerabilitie
------------------------------------------------------------
 
== Description ==
- Software link: http://www.dl.seven7soft.net/script/PHPMELODY1.9.zip
- Affected versions: version  1.9 .other versions might be affected as well.
- Vulnerability discovered by: Mehdi Dadkhah(Isfahan)(Email: mehdidadkhah@live.com)
-Google Dork: intext:"PHP Melody 1.9 powered by PHP Melody."


== Vulnerabilities ==
#CSRF Address :http://site.com/admin/login.php

== Proof of concept ==
 - For the CSRF Address ,we have:
#CSRF Address :http://site.com/admin/login.php
Form name: login
Form action: http://site.com/admin/login.php
Form method: POST

Form inputs:
ausername [Text]
apassword [Password]

An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise
end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web
application.
== Solution ==
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.