This module exploits an authentication vulnerability in OpenSite 2.1. The function init in origin/libs/user.php checks for a matching origin_hash cookie. However, this cookie can be bruteforced in at most 2^32 tries for a known username. Actually, the number of attempts could be significantly reduced knowing that we do not have to check for time in the future, and long past. This works for OpenSite 2.1 and below. It has to be executed against the root directory of OpenSite. The resulting SHA1 cookie has to be used to impersonate the admin on OpenSite putting it on the origin_hash cookie, setting all the others cookies with the default value.
Exploit Type
Product Name