CVE-2010-1097 Information

Description

include/userlogin.class.php in DeDeCMS 5.5 GBK when session.auto_start is enabled allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter as demonstrated by a request to uploads/include/dialog/select_soft_post.php.

Reference

http://bbs.wolvez.org/topic/125/ http://osvdb.org/62622 http://secunia.com/advisories/38790 http://www.securityfocus.com/bid/38469