# Exploit Title: Pandora FMS v3.2.1 Cross Site Request Forgery # Google Dork: intitle:"Pandora FMS - the Flexible Monitoring System" intext:"Your IP" # Date: 12-07-2011 # Author: Mehdi Boukazoula # Software Link: http://pandorafms.org/ # Version: v 3.2.1 # Tested on: v =< 3.2.1 # Description : In the page of "http://127.0.0.1/pandora_console/index.php?sec=usuarios&sec2=operation/users/user_edit" we # can submit the parameters : password_new ; password_conf ; phone ; fullname ; e-mail with POST request . We can exploit # it by sending crafted html page to the administrator (The connected privileged user) with customized values .To patch # this vulnerability the developpers must integrate an anti-bot system like CAPTCHA in the application . -------------------------------------------------------------------------------------------------------- # Code of exploit (HTML) :