Probably many of you are using this link exchange script and it’s pretty nice.
But it has a vulnerability. (one found by me. probably there are more than one)
There is a config file “data/config/config” and normally there’s an .htacces file in the data folder to deny direct acces. But there are many people who doesn’t have this file.
In the config file you will find something like:
View Code TEXT
"password";s:32:"098f6bcd4621d373cade4e832627b4f6" |
.. this is a part of an serialised array who contents the password from admin panel.
If you can acces file directly and see that file contents this site is vulnerable.
You can set a cookie with the name: _authcookie and with that md5 hash and you are logged in admin.
Anyway, is not a big risk for server or anything like that but it can change you settings and links.
1 Comment
Nice find!
I’ve released a new version that no longer support authorization using the _authcookie.