AgoraCart GOLD ver. 5.5.005 and AgoraCart version 5.2.006 (Open Source Version) allow cross-site request forgery throughout all administrative functions.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform administrative actions, e.g. manipulate a .htaccess file via the protected/manager.cgi script or change the user's password if a logged-in administrative user visits a malicious web site.

The vulnerability is confirmed in version 5.2.005. Other versions may also be affected.

References:

CVE-2009-pending

BID:

FrSIRT: N/A

Nessus:N/A

OSVDB: 

SA: 36789

XF: 53808

Related: 

Vendor Solution: