AOH :: HP Unsorted C :: BT-21539.HTM

Cuteflow Version 2.10.3 "edituser.php" Security Bypass Vulnerability



Cuteflow Version 2.10.3 "edituser.php" Security Bypass Vulnerability
Cuteflow Version 2.10.3 "edituser.php" Security Bypass Vulnerability



It's possible edit the users (including the admin account), bypassing the
authentication through the address:
http://localhost/cuteflow/pages/edituser.php?userid=1&language=pt&sortby=st 
rLastName&sortdir=ASC&start=1

The vulnerability is caused due to the application not properly restricting access to the pages/edituser.php script. This can be exploited to modify a user's username and password without having proper credentials.

Hever Costa Rocha

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.