vendor:
Profile Manager Basic
by:
ZoRLu
4,3
CVSS
MEDIUM
Insecure Cookie Handling
613
CWE
Product Name: Profile Manager Basic
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009
interlogy Profile Manager Basic (for ByPass) Insecure Cookie Handling Vulnerability
A vulnerability exists in interlogy Profile Manager Basic which allows an attacker to bypass authentication by manipulating the cookie. An attacker can send a crafted cookie with the value 'pmadm=dGVzd ' or '; path=/' to the server and gain access to the application. This can be done by using a JavaScript code such as 'javascript:document.cookie = "pmadm=dGVzd ' or '; path=/";' and then accessing the URL 'http://demo.interlogy.com/pm3/cgi/admin.cgi?action=edittemp' or 'http://demo.interlogy.com/pm3/cgi/admin.cgi?action=users'.
Mitigation:
Ensure that the application is configured to use secure cookies and that the cookie values are properly validated.