Home > CVE > CVE-2018-20648-PHP Scripts Mall Car Rental Script 2.0.8 has Cross-Site Request Forgery Vulnerability

CVE-2018-20648-PHP Scripts Mall Car Rental Script 2.0.8 has Cross-Site Request Forgery Vulnerability

CVE-2018-20648-vikas-chaudhary

*******************************************************
# Exploit Title: PHP Scripts Mall Car Rental Script 2.0.8 has Cross-Site Request Forgery (CSRF) via accountedit.php.
# Date: 30.12.2018
# Site Title :Car Rental – Travel Booking Script
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link : https://www.phpscriptsmall.com/product/car-rental-script/
# Category: Web Application
# Version: 2.0.8
# Exploit Author: Vikas Chaudhary
# Contact: https://gkaim.com/contact-us/
# Web: https://gkaim.com/
# Tested on: Windows 10 -Firefox
# CVE-2018-20648.
*******************************************************

## VENDOR SUMMARY :- PHP Scripts Mall Pvt. Ltd. is a professional software selling portal offering wide range of innovative.
PHP Scripts Mall is a leading business and technology firm with 12 years of successful track record
in completion and implementation of numerous projects in various verticals and domains..
It has 300 plus PHP scripts ready to buy.

## Vulnerability Description=> Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
*******************************************************

_____________________________
Proof Of Concept:-
_____________________________
1. Go to the site
2- Login page and then Sign Up
3- Create an account using your mail and password.
4=Login to site and then go to edit profile and edit it
5- Now Intercept the data through Burpsuit.
6- Generate CSRF Poc.

7-Send it to victim. It’s Profile will be changed  according to you

Admin
Welcome Sir, .. Myself Vikas Chaudhary , i was interested in general knowledge since childhood , so i thought why not to share my knowledge with you, that's why i created this educational blog. Here you find world wide general knowledge of all Latest technology , Science & History Que , and Mysterious fact of the world. Here you also find knowledge about cyber security. Thanks for visit.. keep supporting....keep Loving
https://www.gkaim.com

Leave a Reply

%d bloggers like this: