Flatnuke3 Myforum Cookie Parameter Authentication Bypass Vulnerability

Bugtraq ID:	26157
Class:	Access Validation Error
CVE:	CVE-2007-5771
Remote:	Yes
Local:	No
Published:	Oct 22 2007 12:00AM
Updated:	Nov 15 2007 12:35AM
Credit:	KiNgOfThEwOrLd is credited with the discovery of this vulnerability.
Vulnerable:	Flatnuke3 Flatnuke3 2007-10-10
Not Vulnerable:

Flatnuke3 Myforum Cookie Parameter Authentication Bypass Vulnerability

Flatnuke3 is prone to an authentication-bypass vulnerability because it fails to adequately sanitize user-supplied input used for cookie-based authentication.

An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.

This issue affects Flatnuke3-2007-10-10; other versions may also be vulnerable.

Flatnuke3 Myforum Cookie Parameter Authentication Bypass Vulnerability

Attackers may exploit this issue through a browser.

The following example cookie data is sufficient to exploit this issue:

myforum%00=adminusername

Flatnuke3 Myforum Cookie Parameter Authentication Bypass Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

Flatnuke3 Myforum Cookie Parameter Authentication Bypass Vulnerability

References:

• Flatnuke3 Homepage (Flatnuke3)
  
• Flatnuke3 Remote Cookie Manipoulation / Privilege Escalation ([email protected])