RantX 1.0 Insecure Admin Authentication Vulnerability
RantX suffers from a insecure admin authentication peice of code, where the script checks to see if the cookie 'logininfo' exists. An attacker can craft a cookie with javascript to bypass this part, or form a legit login request. The password file is opened, then the lines are split into an array, then they are looped thru, if the line matches the cookie then authentication to admin is GIVEN (TRUE). An attacker can give the cookie a value of '<?php' or '?>' then when the cookie is checked against the password file, one line will return TRUE which will give the attacker admin access. The exploit is a javascript code that sets the cookie to '?>'. After running the code in the browser, the attacker can visit 'Admin.php' to exploit the vulnerability.