OSVDB ID: 54203

Title: PHP Site Lock index.php Multiple Cookie Manipulation Admin Authentication Bypass

Info

Disclosure

May 04, 2009

Discovery

Unknown

Dates

Exploit

May 04, 2009

Solution

Unknown

Description

PHP Site Lock contains a flaw that may allow the attacker to bypass certain security restrictions. The issue is triggered when a remote attacker gains administrative access to the application by creating the cookies "login_id", "group_id", "login_name", "user_id", user_type" and assigning them valid but guessable values. It is possible that the flaw may allow access to the administrative interface resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Kalptaru Infotech Ltd

PHP Site Lock

2.0

References

CVE ID: 2009-1587 (see also: NVD)
Bugtraq ID: 34815
Secunia Advisory ID: 34995
ISS X-Force ID: 50304
Exploit Database: 8604
Milw0rm: 8604
Other Advisory URL: http://astalavista.com/exploits-8732-PHP-Site-Lock-2.0-Insecure-Cookie-Handling-Vulnerability.html
http://www.vupen.com/english/advisories/2009/1249
Vendor URL: http://www.phpsitelock.com/

Credit

ThE g0bL!N -

Direct URL: http://osvdb.org/54203