DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:77192", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Golabi CMS 1.0.1 Session Poisoning", "description": "", "published": "2009-05-03T00:00:00", "modified": "2009-05-03T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/77192/Golabi-CMS-1.0.1-Session-Poisoning.html", "reporter": "CrazyAngel", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:23:58", "viewCount": 9, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/77192/golabicms101-session.txt", "sourceData": "`-------------------------------------------------------------------------------- \n_________ _____ __ \n\\_ ___ \\____________ ___________ __ / _ \\ ____ ____ ____ | | \n/ \\ \\/\\_ __ \\__ \\ \\___ < | |/ /_\\ \\ / \\ / ___\\_/ __ \\| | \n\\ \\____| | \\// __ \\_/ / \\___ / | \\ | \\/ /_/ > ___/| |__ \n\\______ /|__| (____ /_____ \\/ ____\\____|__ /___| /\\___ / \\___ >____/ \n\\/ \\/ \\/\\/ \\/ \\//_____/ \\/ \n-------------------------------------------------------------------------------- \n[wWw.CrazyAngel.iR] - [info-AT-CrazyAngel.iR] \n-------------------------------------------------------------------------------- \n \n[Golabi CMS Session Poisoning Vulnerability] \n \n[+] Application Info: \n[*] Name: Golabi CMS >= 1.0.1 \n[*] Author: R3dM0ve \n[*] HomePage: http://golabicms.sourceforge.net/ \n \n[+] Vulnerability Info: \n[*] Type: Session Poisoning \n[*] Bug Hunter: CrazyAngel \n[*] Vul URL: [GOLABI_PATH]/Common/ImageVer.php?svar=[SESSION_NAME] \n[*] Details: insufficient input validation in ImageVer.php \nwhich copies user input into session variable. \n \n[+] Attack Example: \nMalicious User can use this to Re-Install/Change Configurations of Installed Golabi: \n1. Go to [GOLABI_PATH]/Common/ImageVer.php?svar=InstallStep \n2. 'InstallStep' Session is Started,go to Install page [GOLABI_PATH]/install.php \nAnd Change Configurations. Hacker can also use this to include a malicious file \ninto config.php by injecting php code into table_prefix field (in Installation Page - Step 1). \n \n \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645400875}}

{}