Websites using Allmanage Website Administration Software 2.6 with the upload ability contain an easily exploited vulnerability wich gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script.
28da141276c6e2c819bc1648db253cc3e8c8bb66f3f25be3bda20c50b11dcfceAllmanage.pl vulnerability (13 may 2000)
Websites using 'Allmanage Website Administration Software 2.6 WITH the upload ability', and maybe
earlier versions , contain a vulnerability wich gives you full add/del/change
access in the user-account directories and you can change the files in the main directory of the
CGI script.
Go instead of /allmanage.pl to /allmanageup.pl (extension can be .cgi eventually).
You ll get into the "Upload Successful! page" and press on the 'Return To Filemanager'-button.
Now you ll get into the Root Directory. From here you can add, change, delete user-accounts and
change the contents of the directory main page.
This vulnerability is only tested with the Perl version of the script on 9 different sites, all
were vulnerable, and it is not tested with the MySQL version and earlier releases.
Allmanage is freeware (www.prowebpages.com) and distributed on several CGI-resource-sites. Wich
indicates that the script is widespread, not sure.
Bighawk, bighawk@warfare.com
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed