CubeCart 4 session management bypass leads to administrator access
Page 1 of 1
CubeCart 4 session management bypass leads to administrator access
While auditing the source code of CubeCart version v4.3.4, I’ve found a critical vulnerability in this application. Session managament for administrative users is flawed. It is easy to bypass it without providing any credentials. An attacker can later perform any actions the administrator can, such as dumping the database, install modules (PHP code execution) and so on.
CubeCart is using a MySQL table named CubeCart_admin_users for storing information about administrative users.
When an administrator logs in, the applications stores his session ID, browser (user agent) and IP address in the sessId, browser and sessIP fields.
Proof of concept and more info: http://www.acunetix.com/blog/
CubeCart is using a MySQL table named CubeCart_admin_users for storing information about administrative users.
When an administrator logs in, the applications stores his session ID, browser (user agent) and IP address in the sessId, browser and sessIP fields.
Proof of concept and more info: http://www.acunetix.com/blog/
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» Web application firewall bypass with a XSS attack
» HOW TO GET WINDOWS ADMINISTRATOR PASSWORD
» Removing Entropy From PHP Session IDs
» Firesheep - Firefox HTTP session hijacking extension
» WebTuff - IIS 6.0 WebDAV Authentication Bypass PoC
» HOW TO GET WINDOWS ADMINISTRATOR PASSWORD
» Removing Entropy From PHP Session IDs
» Firesheep - Firefox HTTP session hijacking extension
» WebTuff - IIS 6.0 WebDAV Authentication Bypass PoC
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum