Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: amanage1.htm

Allmanage Website Administration Software 2.6 add/change/del user acct access etc.



Vulnerability

    Allmanage Website Administration

Affected

    Allmanage Website Administration Software  2.6

Description

    'bighawk'  found  following.   Websites  using  'Allmanage Website
    Administration Software  2.6 WITH  the upload  ability', and maybe
    earlier versions  , contain  a vulnerability  wich gives  you full
    add/del/change access in the user-account directories and you  can
    change the files in the main directory of the CGI script.

    Go instead of /allmanage.pl  to /allmanageup.pl (extension can  be
    .cgi eventually).  You'll  get into the "Upload  Successful! page"
    and press on the 'Return  To Filemanager'-button.  Now you'll  get
    into the  Root Directory.  From here  you can  add, change, delete
    user-accounts and change the contents of the directory main page.

    This vulnerability  is only  tested with  the Perl  version of the
    script on 9  different sites, all  were vulnerable, and  it is not
    tested with the MySQL version and earlier releases.

    Allmanage  is  freeware  (www.prowebpages.com)  and distributed on
    several  CGI-resource-sites  which  indicates  that  the script is
    widespread, not sure.

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH