CVE-2010-3603

mojoPortal 2.3.4.3 and 2.3.5.1 - Cross-Site Request Forgery in File Manager Service

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-3603. PoCs published by Abysssec.

AI-analyzed exploit summary The document describes two vulnerabilities in mojoPortal 2-3-4-3: a CSRF vulnerability allowing file movement and a persistent XSS vulnerability in the user registration page. It includes proof-of-concept details and vulnerable code snippets.

Description

Cross-site request forgery (CSRF) vulnerability in the file manager service (Services/FileService.ashx) in mojoPortal 2.3.4.3 and 2.3.5.1 allows remote attackers to hijack the authentication of administrators for requests that rename arbitrary files, as demonstrated by causing the user.config file to be moved, leading to a denial of service (service stop) and possibly the exposure of sensitive information.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Abysssec · textwebappsasp

https://www.exploit-db.com/exploits/15018

View Code ZIP pw:eip

The document describes two vulnerabilities in mojoPortal 2-3-4-3: a CSRF vulnerability allowing file movement and a persistent XSS vulnerability in the user registration page. It includes proof-of-concept details and vulnerable code snippets.

Classification

Writeup 90%

Attack Type

Xss | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: mojoPortal 2-3-4-3

Auth required

Prerequisites: Admin session for CSRF attack · User registration access for XSS

MITRE ATT&CK