Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18289
HistoryOct 26, 2007 - 12:00 a.m.

Flatnuke3 Remote Cookie Manipoulation / Privilege Escalation

2007-10-2600:00:00
vulners.com
13
JSON

/_ | ____ |\___ \ / | / |/ |
| |/ \ | | ( <_/ \ \ ______ | \ \
| | | \ | |/ \ \| | // | || |
||| /\| /____ /\___ >| ||||
\/\_____| \/ \/

Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org

Flatnuke3 Remote Cookie Manipoulation / Privilege Escalation

#By KiNgOfThEwOrLd

PoC:

When an user log in, flatnuke set him a cookie value like this: myforum=nomeuser. If we try to change it, flatnuke will ask us to log in again. The code is:

$req = $_SERVER["REQUEST_URI"];
if (strstr($req, "myforum="))
die(_NONPUOI);

So, we can bypass this filter, using nullbyte and login as admin. For example, Replace:

myforum=yourusername

with:

myforum%00=adminusername

PHP Execution PoC:

I saw that in download module, if we set to "1" the fneditmode, we can make directory. So, we can write a description for the directory, and this description will be saved in /Download/[Dir_Name]/description.it.php . Yes, we can insert php code in the description and it will be execute! Nice, dontcha? :P

JSON