Product: Account Manager
Versions: ALL including LITE and PRO haven't been able to test ENTERPRISE
OS: Unix and Winnt
Vendor: Notified, http://www.cgiscriptcenter.com/
The Problem:
The Script allows any remote user access to the Administration Control
Panel through overwriting the Admin Password with one of their own making :). This
is possible since the script parses the inputted data with total disregard for whether
the current userhas Admin priveleges. Therefore calling
www.server.com/cgibin/amadmin.pl?setpasswd
using a POST command would allow the password to be altered.
Using this exploit would give a remote user access to add and remove
users from protected areas of your website perphaps to other more interesting CGI's ;P.
Exploit:
See the .zip file Attached
Patches:
Already Available see website, download version is patched.