An attacker found a web statistics page on a site and discovered an administrative login page. By viewing the source of the login page, the attacker identified that a calendar application was in use. The attacker was able to login with test credentials and noticed the login response was missing a failure message. The login response included a cookie that referenced the user's role as an "End User". The attacker changed the role in the cookie to "Administrator" and gained administrative access, escalating their privileges on the system.