Allmanage.pl vulnerability (13 may 2000)

Websites using 'Allmanage Website Administration Software 2.6 WITH the upload ability', and maybe
earlier versions , contain a vulnerability wich gives you full add/del/change 
access in the user-account directories and you can change the files in the main directory of the
CGI script.

Go instead of /allmanage.pl to /allmanageup.pl (extension can be .cgi eventually).
You ll get into the "Upload Successful! page" and press on the 'Return To Filemanager'-button.
Now you ll get into the Root Directory. From here you can add, change, delete user-accounts and
change the contents of the directory main page.

This vulnerability is only tested with the Perl version of the script on 9 different sites, all
were vulnerable, and it is not tested with the MySQL version and earlier releases. 

Allmanage is freeware (www.prowebpages.com) and distributed on several CGI-resource-sites. Wich 
indicates that the script is widespread, not sure.  

Bighawk, bighawk@warfare.com