MySeq (#SimplifyCybersecurity #EssentialSecurity): LiteNews Administrator Cookie Authentication Bypass Vulnerability

Aug 6, 2008

Bugtraq ID:	30555
Class:	Design Error
Remote:	Yes
Published:	Aug 05 2008 12:00AM
Credit:	Scary-Boys
Vulnerable:	Wogan May LiteNews 1.2
Description:	LiteNews is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication. Attackers can exploit this vulnerability to gain administrative access to the affected application.
Exploit:	Attackers can exploit this issue via a browser. The following example JavaScript code is available: javascript:document.cookie = "admin=1; path=/";

Pages