Vulnerability Development mailing list archives
Simple CMS
From: daaan () gmail com
Date: 2 Aug 2006 11:14:43 -0000
The cms from http://www.cms-center.com/ uses no security at all, just a boolean "isloggedin". If you submit "loggedin=1" in the URL of any of the admin pages, you get full controll. Proof: 1. Google for "powered by php mysql simple cms" 2. type "admin/config_pages.php?loggedin=1" behind the url 3. Done. It works on every admin page that uses the so called auth.php. I tried to contact the author, but i was unable to find ANY contact info.
Current thread:
- Simple CMS daaan (Aug 02)
- Re: Simple CMS Volker Tanger (Aug 03)
- RE: Simple CMS David Schwartz (Aug 04)
- Re: Simple CMS Volker Tanger (Aug 03)