## Title: Advance Charity Management-1.0 - TLS cookie without secure  
flag set-PHPSESSID NEVER EXPIRATION-current session-Hijacking  
## Author: nu11secur1ty  
## Date: 06.04.2023  
## Vendor:  
## Software:  
## Reference:  
## Description:  
The following cookie was issued by the application and does not have  
the secure flag set:  
PHPSESSID: The cookie appears to contain a session token, which may  
increase the risk associated with this issue. You should review the  
contents of the cookie to determine its function. The attacker can use  
the same browser on the same machine to connect with the already  
logged user before this moment, end he can do very nasty stuff with  
this already authenticated account. This is a 100% CRITICAL SITUATION  
if this will happen  
inside of the network level 2 of some companies.  
STATUS: HIGH Vulnerability  
GET /pwnedhost7/members/ HTTP/1.1  
Accept-Encoding: gzip, deflate  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="114", "Chromium";v="114"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
HTTP/1.1 200 OK  
Date: Sun, 04 Jun 2023 10:13:00 GMT  
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30  
X-Powered-By: PHP/7.4.30  
Set-Cookie: PHPSESSID=hudiao5n9p6rjld5oaju24lbca; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 25629  
<script type="text/javascript">window.location="login.php"; </script><br />  
<b>Notice</b>: Undefined index: rainbow_uid in  
<b>C:\xampp7.4\htdocs\pwnedhost7\members\header.php</b> on line  
<b>7</b><br />  
<br />  
<b>Warning</b>: mysqli_fetch_assoc() expects parameter 1 to be  
mysqli_result, bool given in  
<b>C:\xampp7.4\htdocs\pwnedhost7\members\header.php</b> on line  
## Reproduce:  
## Proof and Exploit:  
## Time spend: