History

Operla 0-1¶

The only exploit that we were able to find in Operla 0.1 was the ability to dump all cookies to a given URL. In the getUrl function at line 58, has support for a remote cookie store, which is enabled by the satisfaction of three conditions:

The cookie sec is passed
The value of the cookie sec is has an MD5sum of 5eb63bbbe01eeed093cb22bb8f5acdc3h as specified in the function trustedCstore at line 48. This value is "hello world"
The cookie Remote-Cookie-Store is passed

If all the above conditions are met, a url encoded version of the cookies is requested as a get url to the page specified in the value of the Remote-Cookie-Store cookie.

Also available in: HTML TXT

ictf09

Wiki

Operla 0-1¶