LiteNews Administrator Cookie Authentication Bypass Vulnerability

Bugtraq ID:	30555
Class:	Design Error
CVE:	CVE-2008-3508
Remote:	Yes
Local:	No
Published:	Aug 05 2008 12:00AM
Updated:	May 07 2015 05:25PM
Credit:	Scary-Boys
Vulnerable:	Wogan May LiteNews 1.2
Not Vulnerable:

LiteNews Administrator Cookie Authentication Bypass Vulnerability

LiteNews is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

Attackers can exploit this vulnerability to gain administrative access to the affected application.

LiteNews Administrator Cookie Authentication Bypass Vulnerability

Attackers can exploit this issue via a browser.

The following example JavaScript code is available:

javascript:document.cookie = "admin=1; path=/";

LiteNews Administrator Cookie Authentication Bypass Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

LiteNews Administrator Cookie Authentication Bypass Vulnerability

References:

• Vendor Homepage (Wogan May)