| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030815052638.9033.qmail@www.securityfocus.com> Date: 15 Aug 2003 05:26:38 -0000 From: DarkKnight <mbuzz04@...oo.com> To: bugtraq@...urityfocus.com Subject: Poster.Version:Two Setup Vulnerability Author: DarkKnight My site: http://www.insecureonline.com Product: Poster.version:two Side Note: This is my first post ever on bugtraq, so bear with me. Vendors: Contacted A vulnerability exists within Poster.version:two that allows a remote attacker to add accounts to a Poster.version:two. The vulnerability exists within Poster's setup. The setup doesn't lock itself after it is ran, so the setup is still active and usable. A sample is listed below http://www.website.com/poster/? go=setup_submit&un=DarkKnight&pw=123456&em=EMAIL&submit=submit The above link would add the user "DarkKnight" with the password "123456" and the email "EMAIL" to the list of users for the Poster script. The user has complete admin access to Poster and will be able to delete accounts, modify news, post news, change the formation of the news, and steal the password of the users who use Poster, which may be the password to their email or website. The two people who deserve credit for this vulnerability are: Fusen and DarkKnight [me :)] Want great hosting? Get it at http://www.onlinehoster.com
Powered by blists - more mailing lists