|
|
Family: CGI abuses --> Category: infos
CitrusDB Remote Authentication Bypass Vulnerability Vulnerability Scan
Vulnerability Scan Summary
Acertains the presence of CitrusDB
Detailed Explanation for this Vulnerability Test
The remote host is running CitrusDB, an open source customer database
application written in PHP.
This version of CitrusDB is vulnerable to an Authentication bypass
vulnerability in the way it handles cookies based authentication.
A possible hacker, to exploit this flaw, needs to know a valid username.
By default CitrusDB comes with admin user. A possible hacker will just need
to send a MD5 hash of username + 'boogaadeeboo' as cookie to be
authenticated as administrator.
Solution : Upgrade to a newer version when available
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|
