#=======================================================================# .____ _________ ._. | | ______ _ __/ _____/ ____ ____| | | | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ | | |__( <_> ) / / \ ___/\ \___\| |_______ \____/ \/\_/ /_______ /\___ >\___ >_ \/ \/ \/ \/\/ (http://wwwlowsec.org) #========================================================================# Author: C1c4Tr1Z Date: 28/08/08 Application: Open Media Collectors Database 1.0.6 (15/05/2007) Product WebSite: http://opendb.iamvegan.net/ #========================================================================# #============================[CSRF]======================================# We can change any user or admin password by CSRF, only knowing the user's username. POC:
#========================================================================# #=============================[XSS]======================================# With some JavaScript knowledge, we are able to execute JS codes to steal cookies to use the sessions, or another changes/actions. POC: /user_admin.php?op=edit&user_id=