Salmen2 Simple Faucet Script Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Salmen2/Simple-Faucet-Script version 1.07. This vulnerability allows attackers to execute arbitrary code by sending a crafted POST request to admin.php?p=ads&c=1. When an authenticated admin visits a malicious page containing the exploit, the CSRF attack unauthorizedly modifies the homepage content.

Impact

Exploitation of this vulnerability allows for Stored Cross-Site Scripting (XSS), where injected HTML or JavaScript is executed in the context of the user viewing the homepage.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the admin panel. Then, open a crafted webpage that includes a form targeting admin.php?p=ads&c=1. This form should automatically submit a request that includes a script tag, such as one that triggers an alert. Once the request is processed, the homepage will display the alert, indicating that the XSS payload has been executed, demonstrating the successful exploitation of the CSRF vulnerability.