Crux Gallery <= 1.32 / Insecure Cookie Handling Vulnerability

2008.09.27
Credit: Pepelux
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Crux Gallery <= 1.32 / Insecure Cookie Handling Vulnerability -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Program: Crux Gallery Version: <= 1,32 File affected: admin/* Download: http://www.arzdev.com/downloads/8/Crux Found by Pepelux <pepelux[at]enye-sec.org> eNYe-Sec - www.enye-sec.org <em class="quotelev2">>> Program description (by the author website) <<</em> Crux Gallery reads directories on a server and listes them with thumbnails for the user to view without useing exrta space for thumbnails or extra bandwidth for full images. Each image has other resolutions near them for the user to choose from, including the origional resolution the image is in. <em class="quotelev2">>> Bug <<</em> You can access to the admin panel altering the cookie and adding a parameter in the navigation bar. <em class="quotelev2">>> Exploit <<</em> Note: POST is not checked and you can enter all by GET. Also you can create a simple perl script to send GET and POST packages. Navigate by the admin panel adding the parameter '&name=users' in the navigation bar. Examples: to view the main admin panel: http://site/index.php?op=admin&name=users to change the admin password: http://site/index.php?op=pass&name=users

References:

http://www.securityfocus.com/bid/31430
http://www.securityfocus.com/archive/1/archive/1/496763/100/0/threaded
http://www.attrition.org/pipermail/vim/2008-October/002083.html
http://secunia.com/advisories/32058
http://milw0rm.com/exploits/6586


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top