vendor:
Multi-Page Comment System
by:
t0pP8uZz
6.4
CVSS
MEDIUM
Insecure Cookie Handling
613
CWE
Product Name: Multi-Page Comment System
Affected Version From: 1.1.2000
Affected Version To: 1.1.2000
Patch Exists: NO
Related CWE: N/A
CPE: a:tpvgames:multi-page_comment_system
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
Multi-Page Comment System 1.1.0 Insecure Cookie Handling
Multi-Page Comment System, suffers from insecure cookie handling, when a admin login is successfull the script creates a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are logged in as a legit admin. The below javascript code will create a cookie, after pasting the code into your browser and running on the affected domain, you can simply visit "/admin.php" and your admin.
Mitigation:
Ensure that the cookie is encrypted and contains a secure token that is not easily guessable.