Saturday, March 12, 2016

Responsible Disclosure of CSRF in PHP Fusion 9

Recently I did some testing with PHP Fusion 9 and found that I could create additional users as the admin is logged in due to the application not protecting against CSRF.  I reached out to the development team and they had it fixed within 72 hours.  Below is the original video that I sent them and then they provided one back showing they had fixed it and to test it again.

Video - Adding a user account through CSRF




Then here is the response about fixing the vulnerability in version 9.
Here is the youtube video that he posted as shown above in the screenshot:  https://www.youtube.com/watch?v=5eLfA_ZEujQ&feature=youtu.be



No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...