# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ======================================================== # # # admin panel Authentication bypass # # Description : An Attackers are able to completely compromise the web application built upon # Matrimonial Script as they can gain access to the admin panel and manage the website as an admin without # prior authentication! # # Proof of Concept : - # Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php # Step 2: Access http://example.com/path/admin/index.php # # # Risk : Unauthenticated attackers are able to gain full access to the administrator panel # and thus have total control over the web application, including content change,add admin user .. etc # # # # # ======================================================== # [+] Disclaimer # # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and that due # credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit is given to # the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information # or exploits by the author or elsewhere. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #