Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b1a-1263.htm

Anantasoft Gazelle CMS - change admin password via Cross-site Request Forgery



Anantasoft Gazelle CMS - change admin password via Cross-site Request Forgery
Anantasoft Gazelle CMS - change admin password via Cross-site Request Forgery



[MajorSecurity SA-068]Anantasoft Gazelle CMS - change admin password via Cross-site Request Forgery=0D
=0D
Details=0D
========0D
Product: Anantasoft Gazelle CMS=0D
Security-Risk: high=0D
Remote-Exploit: yes=0D
Vendor-URL: http://www.anantasoft.com=0D 
Vendor-Status: informed=0D
Advisory-Status: published=0D
=0D
Credits=0D
=============0D
Discovered by: David Vieira-Kurz=0D
http://www.majorsecurity.info/penetrationstest.php=0D 
=0D
Affected Products:=0D
----------------------------=0D
Anantasoft Gazelle CMS 1.0=0D
Prior versions may also be vulnerable=0D
=0D
Introduction=0D
=============0D
"Anantasoft Gazelle CMS is web based content management system." =0D
=0D
More Details=0D
=============0D
We at MajorSecurity have discovered a vulnerability in Anantasoft Gazelle CMS, which can be exploited by malicious people to conduct cross-site request forgery attacks.=0D
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to change the administrator's password by tricking a logged in administrator into visiting a malicious web site.=0D
=0D
Solution=0D
=================0D
The web application should implement some validity checks to verify the requests before performing certain actions via HTTP requests.=0D
=0D
Workaround=0D
=================0D
Do not browse untrusted sites or follow untrusted links while being logged-in to the application.=0D
=0D
MajorSecurity=0D
=================0D
MajorSecurity is a German penetrationtesting and security research company which focuses=0D
on web application security. We offer professional penetrationstest, security audits,=0D
source code reviews. 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH