RSS News AutoPilot Script - Admin Panel Authentication Bypass

vendor:

RSS News AutoPilot Script

by:

Arbin Godar

7,5

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: RSS News AutoPilot Script

Affected Version From: 1.0.1

Affected Version To: 3.1.0

Patch Exists: YES

Related CWE: N/A

CPE: //a:rss_news_autopilot_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2016

RSS News AutoPilot Script – Admin Panel Authentication Bypass

An Attackers are able to completely takeover the web application using RSS News - AutoPilot Script as they can gain access to the admin panel and manage the website as an admin. Steps to Reproduce: Step 1: Add: http://victim-site.com/admin/login.php in a rule list on No-Redirect Extension. Step 2: Access: http://victim-site.com/admin/index.php Step 3: Bypassed.

Mitigation:

Make use of PHP exit() or die() function. / Update to latest version.

Source

Exploit-DB raw data:

# Exploit Title: RSS News AutoPilot Script - Admin Panel Authentication Bypass
# Date: 14 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Software Link: https://codecanyon.net/item/rss-news-autopilot-script/11812898
# Version: 1.0.1 to 3.1.0

-------------------------------------------------------------------------------

Description:
An Attackers are able to completely takeover the web application using RSS News - AutoPilot Script as they can gain access to the admin panel and manage the website as an admin.

Steps to Reproduce:
Step 1: Add: http://victim-site.com/admin/login.php in a rule list on No-Redirect Extension.
Step 2: Access: http://victim-site.com/admin/index.php
Step 3: Bypassed.

PoC Video: https://www.youtube.com/watch?v=jldF-IPgkds

Impact: Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the web application.

Fix/Patch: Make use of PHP exit() or die() function. / Update to latest version.