UAG-CMS suffers from a session fixation vulnerability.
35d537cc326636b474e15bfcc48eb62a59f4ccadbbc1f958872b79cfefaa8a78
#######################################################################
#
# Exploit Title: UAG-CMS Session Fixation Script
# Date: 2014 18 March
# Author: Dr.3v1l
# Vendor Homepage: http://julienetnel.github.io/inu/
# Tested on: Windows
# Category: webapps
# Google Dork: intext:"UAG CMS"
#
#######################################################################
#
# [+] Exploit :
#
# http://<server>/UAG-CMS/admin/identification.php
#
# Discovered by: Scripting (Session_Fixation.script).
#
# Attack details :
# Session cookie PHPSESSID was fixed to acunetixsessionfixation.
#
# Vulnerability description :
#
# Session Fixation is an attack that permits an attacker to hijack a valid user session.
# The attack explores a limitation in the way the web application manages the session ID,
# more specifically the vulnerable web application. When authenticating a user,
# it doesn't assign a new session ID, making it possible to use an existent session ID.
# The attack consists of inducing a user to authenticate himself with a known session ID,
# and then hijacking the user-validated session by the knowledge of the used session ID.
# The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.
#
#######################################################################
#
# [+] Contact Me :
#
# B.Devils.B@gmail.com
# Twitter.com/Doctor_3v1l
# Facebook.com/bdb.0web
# Facebook.com/groups/1427166220843499/
# IR.linkedin.com/in/hossein3v1l
# Hossein Hezami - Black_Devils B0ys
#
#######################################################################
# B.Devils.B Friends , R.H.H (UnderGround) , IeDB.IR , IrSecTeam
#######################################################################