← back
CVE-2009-1283

CVE-2009-1283

EPSS 1.3%
glFusion before 1.1.3 performs authentication with a user-provided password hash instead of a password, which allows remote attackers to gain privileges by obtaining the hash and using it in the glf_password cookie, aka "User Masquerading." NOTE: this can be leveraged with a separate SQL injection vulnerability to steal hashes.
Affected products
n/a · n/a
public PoCs found1
cve_referencewww.exploit-db.com/exploits/8347unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://marc.info/?l=bugtraq&m=123877379105028&w=2http://retrogod.altervista.org/9sg_glfuso_sql_cookies.htmlhttp://secunia.com/advisories/34575https://www.exploit-db.com/exploits/8347http://www.glfusion.org/article.php/glfusion113http://www.glfusion.org/wiki/doku.php?id=glfusion:whatsnew