Simple Php Agenda <= 2.2.8 Multiple CSRF Vulnerabilities

Simple Php Agenda 2.2.8  (and lower) is affected by a CSRF Vulnerability which allows an attacker to add a new administrator, delete an existing administrator, create/delete a new event and change any other parameters. In this document I will only  demonstrate how to:
– add a new administrator
– delete a existing administrator
– add a new event
– delete an existing event.
Other parameters can be also modified.

To view my Original Advisory:
Simple PHP Agenda 2.2.8 Multiple CSRF Advisory

MITRE CVE Numbering Authority for this vulnerability assigned me CVE-2012-1978

Other related publications:
http://secunia.com/advisories/48685
http://www.osvdb.org/show/osvdb/80793
http://xforce.iss.net/xforce/xfdb/74539
http://packetstormsecurity.org/files/111408/Simple-PHP-Agenda-2.2.8-Cross-Site-Request-Forgery.html
http://www.securelist.com/en/advisories/48685
http://1337day.com/exploits/17893
http://www.thecybernuxbie.com/exploit-report/simple-php-agenda-2-2-8-csrf-add-adminadd-new-event.aspx

Leave a Reply

Your email address will not be published. Required fields are marked *