发布时间 :2006-02-21 21:02:00
修订时间 :2017-07-19 21:30:07

[原文]Leif M. Wright's Blog 3.5 does not make a password comparison when authenticating an administrator via a cookie, which allows remote attackers to bypass login authentication, probably by setting the blogAdmin cookie.

[CNNVD]Leif M. Wright Blog.CGI授权绕过漏洞(CNNVD-200602-325)

        Leif M. Wright's Blog 3.5在通过cookie认证管理员时不进行密码比较,这使远程攻击者可以通过设置blogAdmin cookie来绕过登录认证。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  16714
(UNKNOWN)  XF  webblog-cookie-auth-bypass(24755)

- 漏洞信息

Leif M. Wright Blog.CGI授权绕过漏洞
高危 输入验证
2006-02-21 00:00:00 2006-02-22 00:00:00
        Leif M. Wright's Blog 3.5在通过cookie认证管理员时不进行密码比较,这使远程攻击者可以通过设置blogAdmin cookie来绕过登录认证。

- 公告与补丁


- 漏洞信息 (F44315)

EV0082.txt (PacketStormID:F44315)
2006-03-03 00:00:00
Aliaksandr Hartsuyeu
exploit,code execution,xss,info disclosure

Leif M. Wright's Blog version 3.5 is susceptible to information disclosure, authentication bypass, code execution, and cross site scripting flaws. Exploit details provided.

New eVuln Advisory:
Leif M. Wright's Blog Multiple Vulnerabilities

eVuln ID: EV0082
CVE: CVE-2006-0843 CVE-2006-0844 CVE-2006-0845 CVE-2006
Software: Leif M. Wright's Blog
Sowtware's Web Site:
Versions: 3.5
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (

1. Sensitive Information Disclosure and Authentication Bypass

All "txt" files isn't protected by htaccess(or any other ways) in default installiation. This can be used to retrieve administrator's password from config file.

2. Cookie Authentication Bypass

"blog.cgi" script dont make password comparisson when identifying administrator by cookie.

3. Shell Command Execution

Administrator has an ability to edit blog configuration including full path to sendmail program. This can be used to execute arbitrary shell commands.

System access is possible.

4. 'Referer' and 'User-Agent' Cross-Site Scripting

Environment variables HTTP_REFERER and HTTP_USER_AGENT are not properly sanitized. This can be used to post HTTP query with fake Referer or User-Agent values which may contain arbitrary html or script code. This code will be executed when administrator will open "Log" page.

Available at:

1. Sensitive Information Disclosure and Authentication Bypass

Url example:

2. Cookie Authentication Bypass

Cookie: blogAdmin=true

3. Shell Command Execution

Sendmail: /bin/ls

4. 'Referer' and 'User-Agent' Cross-Site Scripting

GET /cgi-bin/blog/blog.cgi HTTP/1.0
Host: [host]
Referer: [XSS]
User-Agent: [XSS]
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

file=15-13.59.39.txt&year=2006&month=February&name=zz&comment=zzz&submit=Enter% 20my%20comment

No Patch available.

Discovered by: Aliaksandr Hartsuyeu (

Aliaksandr Hartsuyeu - Penetration Testing Services

- 漏洞信息

Leif M. Wright's Blog blog.cgi Cookie Authentication Weakness
Remote / Network Access Authentication Management
Loss of Integrity Solution Unknown

- 漏洞描述

- 时间线

2006-02-15 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete