[VIM] root cause for Crux Gallery cookie-handling issue?
Steven M. Christey
coley at linus.mitre.org
Tue Oct 7 23:37:31 UTC 2008
Ref: http://milw0rm.com/exploits/6586
The root cause of the Crux Gallery "Insecure Cookie Handling" issue seems
to be an improper conditional.
main.php has the following code:
if (($_GET['name'] != "users" && $_GET['op']!=logon) &&
($_COOKIE['pass'] != $dbpass || $_COOKIE['user'] != $dbuser)) {
$user = "Anonymous";
$pass = "";
$admin = "";
} else {
$admin = TRUE;
setcookie('user', $_COOKIE['user'], mktime(12,0,0,1, 1, 2014), '/', '');
setcookie('pass', $_COOKIE['pass'], mktime(12,0,0,1, 1, 2014), '/', '');
}
}
So if name = users, the rest of the check is completely bypassed and the
$admin=TRUE block is evaluated. Much of the remaining processing in
index.php just checks the $admin variable.
Note that this is wrapped in a check for the existence of
$_COOKIE['user'], and the $_COOKIE['pass'] check would seem to suggest
that it would fail on the second access. I'm lost in the remaining logic,
so I can't tell if you can only do one access per session or not.
- Steve
More information about the VIM
mailing list