header-logo
Suggest Exploit
vendor:
PVote Web Voting System
by:
Unknown
5.5
CVSS
MEDIUM
URL Parameter Manipulation
Other
CWE
Product Name: PVote Web Voting System
Affected Version From: All versions
Affected Version To: All versions
Patch Exists: NO
Related CWE:
CPE: a:pvote:pvote
Metasploit:
Other Scripts:
Platforms Tested: Unix, Linux, Microsoft Windows
2002

PVote Web Voting System URL Parameter Manipulation

A remote attacker can manipulate the URL parameters to add or delete web polls in PVote, a web voting system written in PHP. By modifying the values of the parameters, an attacker can add a poll with a specific topic or delete an existing poll by specifying its ID.

Mitigation:

Implement proper input validation and sanitization to prevent URL parameter manipulation. Regularly update the PVote system to include security patches and fixes.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4540/info

PVote is a web voting system written in PHP. It will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

It is possible for a remote attacker to add/delete web polls just by manipulating the values of URL parameters. 

ADD A POLL:

http://target/pvote/add.php?question=AmIgAy&o1=yes&o2=yeah&o3=well..yeah&o4
=bad

where question refers to the topic of the topic to be added by the attack.

DELETE A POLL:

http://target/pvote/del.php?pollorder=1

where pollorder is the poll 'id' number for the poll to be deleted.

Navigation

Suggest Exploit

Services By CQR