[VIM] root cause for Crux Gallery cookie-handling issue?

Steven M. Christey coley at linus.mitre.org
Tue Oct 7 23:37:31 UTC 2008

Ref: http://milw0rm.com/exploits/6586

The root cause of the Crux Gallery "Insecure Cookie Handling" issue seems
to be an improper conditional.

main.php has the following code:

    if (($_GET['name'] != "users" && $_GET['op']!=logon) &&
        ($_COOKIE['pass'] != $dbpass || $_COOKIE['user'] != $dbuser)) {
    $user = "Anonymous";
    $pass = "";
    $admin = "";
  } else {
    $admin = TRUE;
    setcookie('user', $_COOKIE['user'], mktime(12,0,0,1, 1, 2014), '/', '');
    setcookie('pass', $_COOKIE['pass'], mktime(12,0,0,1, 1, 2014), '/', '');

So if name = users, the rest of the check is completely bypassed and the
$admin=TRUE block is evaluated.  Much of the remaining processing in
index.php just checks the $admin variable.

Note that this is wrapped in a check for the existence of
$_COOKIE['user'], and the $_COOKIE['pass'] check would seem to suggest
that it would fail on the second access.  I'm lost in the remaining logic,
so I can't tell if you can only do one access per session or not.

- Steve

More information about the VIM mailing list