Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:591
HistoryAug 24, 2000 - 12:00 a.m.

Account Manager CGI Vulnerability

2000-08-2400:00:00
vulners.com
30
JSON

Product: Account Manager
Versions: ALL including LITE and PRO haven't been able to test ENTERPRISE
OS: Unix and Winnt
Vendor: Notified, http://www.cgiscriptcenter.com/

The Problem:

The Script allows any remote user access to the Administration Control

Panel through overwriting the Admin Password with one of their own making :). This
is possible since the script parses the inputted data with total disregard for whether
the current userhas Admin priveleges. Therefore calling

www.server.com/cgibin/amadmin.pl?setpasswd

using a POST command would allow the password to be altered.

Using this exploit would give a remote user access to add and remove

users from protected areas of your website perphaps to other more interesting CGI's ;P.

Exploit:

See the .zip file Attached

Patches:

Already Available see website, download version is patched.

n30
[email protected]
www.alldas.de

JSON