Allmanage allmanageup.pl Arbitrary File and User Account Modification

2000-05-13T00:00:00
ID OSVDB:1337
Type osvdb
Reporter Bighawk(bighawk@warfare.com)
Modified 2000-05-13T00:00:00

Description

Vulnerability Description

Allmanage contains a flaw that may allow a remote attacker to arbitrary modify files and user accounts. The issue is triggered when requesting the 'allmanageup.pl' script directly. It is possible that the flaw may allow a remote attacker to arbitrary add, change and delete user accounts and/or modify the contents of the directory main page resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It may be possible to correct the flaw by implementing the following workaround:

Remove the read file permission on the allmanage/k file for all users except the owner of the file.

Short Description

Allmanage contains a flaw that may allow a remote attacker to arbitrary modify files and user accounts. The issue is triggered when requesting the 'allmanageup.pl' script directly. It is possible that the flaw may allow a remote attacker to arbitrary add, change and delete user accounts and/or modify the contents of the directory main page resulting in a loss of integrity.

References:

Related OSVDB ID: 4982 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-05/0167.html ISS X-Force ID: 4465 CVE-2000-0435 Bugtraq ID: 1217