Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Four CSRF vulnerabilities in pluck cms 4.7.9 #69
One: use CSRF vulnerability to delete pictures
Two: use the CSRF vulnerability to delete the topic
Three: use CSRF vulnerability to remove the module
Four: use CSRF vulnerability to delete pictures
Funny, even github is vulnerable.. it opened a new window for me ;)
How would you exploit this?
Admins are instructed to go to the domain.tld/login.php to logon to Pluck.
Please explain an attack vector in which the admin is not willingly logged on to the admin page.
Thank you for the thumbs down emoji. You deleted your comment that I will never understand security, since you don't know me, you cannot state this fact. I am a Penetration Tester since 2008 and have successfully penetrated several applications and websites. You have several types of attack vectors. For this you need two, Social Engineering and Phishing.
With a code audit (which is now possible as you stated that it is open source) you can maybe find exploits. Lots have been found and fixed. We are always open to learn about new exploits and bugs.
If you see another attack vector which can be used at this moment please let me know and I will certainly fix this for you, until then it is rated LOW and I think it will be a won't fix.
Waiting for you reply,