Wednesday, August 06, 2008

LiteNews Administrator Cookie Authentication Bypass Vulnerability

Bugtraq ID: 30555
Class: Design Error
Remote: Yes
Published: Aug 05 2008 12:00AM
Credit: Scary-Boys
Vulnerable: Wogan May LiteNews 1.2
Description:
LiteNews is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

Attackers can exploit this vulnerability to gain administrative access to the affected application.
Exploit:
Attackers can exploit this issue via a browser. The following example JavaScript code is available:

javascript:document.cookie = "admin=1; path=/";