# Exploit Title: FiverrScript CSRF Vulnerability (add New admin) # Author: Mahmoud Gamal (@Zombiehelp54) # Google Dork: intext:Powered by FiverrScript # Date: 10/06/2015 # Exploit Author: Scriptolution # Vendor Homepage: http://scriptolution.com # Software Link: http://fiverrscript.com # Version: 7.2 # Tested on: Windows FiverrScript is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://localhost/fiverrscript/administrator/admins_create.php) that will add a new user as administrator. Once exploited, the attacker can login to the admin panel ( http://localhost/fiverrscript/administrator/index.php) using the username and the password he posted in the form. CSRF PoC Code =============
Reported to script owner. Security Level: ================ High