PHPDev5 Remote Insecure Default Users & Passwords vuln.

vendor:

PHPDev 5

by:

Ali7

5.5

CVSS

MEDIUM

Insecure Default Users & Passwords

798

CWE

Product Name: PHPDev 5

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2005

PHPDev5 Remote Insecure Default Users & Passwords vuln.

PHPDev5 creates 4 default users with blank passwords, allowing attackers to have full control over databases and execute malicious SQL queries or download PHP shells.

Mitigation:

Change the blank passwords.

Source

Exploit-DB raw data:

------------------------------------------------------------------------
# PHPDev5 Remote Insecure Default Users & Passwords vuln.
# By : Ali7
# e-mail : ali7@hotmail.co.uk
# date : 09-03-2k5
# greetz : all my friends ; AlkaeN ; s4a.cc boyz ;)
 
 
>Target : PHPDev 5
>URL : www.firepages.com.au - http://sourceforge.net/projects/phpdev5/
>Type : PHP/Apache/MySQL Server..
 
>>Details : i found that PHPDev creates 4 default users with "blank passwords"..
@% : no privs.
@localhost : full privs. & full control on all Databases..
root@% : full privs. & full control on all Databases..
root@localhost : full privs. & full control on all Databases..
 
>>Exploitin'9 : The Attacker may have the the full control on any database using PhpMyAdmin or any other database management software..
 
An Advanced Attacker may use the the privs. to execute malicuos SQL queries or download PHP-shells .....etc.
 
>> Fixing :
** Change the Blank Passwords.. :\
 
That's All ..)) Sorry 4 my bad English $:

# milw0rm.com [2005-03-11]