Burden 'burden_user_rememberme' Authentication Bypass Vulnerability Network Vulnerability

Summary

The host is running Burden and is prone to authentication bypass vulnerability.

Impact

Successful exploitation will allow attackers to login as admin without providing credentials. Impact Level: Application

Solution

Upgrade to Burden 1.8.1 or later, For updates refer to https://github.com/joshf/Burden/releases/tag/1.8.1

Insight

The flaw is due to insufficient authentication when handling 'burden_user_rememberme' cookie parameter. A remote unauthenticated user can set 'burden_user_rememberme' cookie to '1' and gain administrative access to the application.

Affected

Burden version 1.8 and prior.

Detection

Send the crafted HTTP GET request and check is it possible to login or not

References

http://packetstormsecurity.com/files/124719
http://secunia.com/advisories/56343
http://xforce.iss.net/xforce/xfdb/90186
https://www.htbridge.com/advisory/HTB23192

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-7137
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
Adobe ColdFusion Components (CFC) Denial Of Service Vulnerability
Apache Tomcat /servlet Cross Site Scripting
Apple Safari RSS Feed Information Disclosure Vulnerability
Adobe ColdFusion Information Disclosure Vulnerability

Take action and discover your vulnerabilities