![[LWN Logo]](/images/lwn.banner.gif)
Websites using 'Allmanage Website Administration Software 2.6 WITH the upload ability', and maybe earlier versions , contain a vulnerability wich gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script. Go instead of /allmanage.pl to /allmanageup.pl (extension can be .cgi eventually). You ll get into the "Upload Successful! page" and press on the 'Return To Filemanager'-button. Now you ll get into the Root Directory. From here you can add, change, delete user-accounts and change the contents of the directory main page. This vulnerability is only tested with the Perl version of the script on 9 different sites, all were vulnerable, and it is not tested with the MySQL version and earlier releases. Allmanage is freeware (www.prowebpages.com) and distributed on several CGI-resource-sites. Wich indicates that the script is widespread, not sure. Bighawk, bighawk@warfare.com