PVote 1.0/1.5 Unauthorized Administrative Password Change Vulnerability

2002-04-18T00:00:00
ID EDB-ID:21397
Type exploitdb
Reporter Daniel Nyström
Modified 2002-04-18T00:00:00

Description

PVote 1.0/1.5 Unauthorized Administrative Password Change Vulnerability. CVE-2002-0589. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/4541/info

PVote is a web voting system written in PHP. It will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

It is possible to change the administrative password by submitting a malicious web request containing the appropriate values for the URL parameters. No authentication credentials are required. 

http://target/pvote/ch_info.php?newpass=password&confirm=password

where password is the attacker-supplied value for the new administrative password.