CVE-2008-7248

Ruby on Rails <2.1.3 & <2.2.2 - CSRF

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-7248. PoCs published by p0deje.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Redmine <= 0.8.6, allowing an attacker to create an admin user via a crafted HTML form. The PoC automatically submits the form using JavaScript, bypassing user interaction.

Description

Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

Exploits (1)

exploitdb WORKING POC VERIFIED

by p0deje · textremotelinux

https://www.exploit-db.com/exploits/33402

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in Redmine <= 0.8.6, allowing an attacker to create an admin user via a crafted HTML form. The PoC automatically submits the form using JavaScript, bypassing user interaction.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Redmine <= 0.8.6

No auth needed

Prerequisites: Victim must visit the malicious HTML page · Redmine instance must be vulnerable (no CSRF token protection)

MITRE ATT&CK