------------------------------------------------------------------------ # PHPDev5 Remote Insecure Default Users & Passwords vuln. # By : Ali7 # e-mail : ali7@hotmail.co.uk # date : 09-03-2k5 # greetz : all my friends ; AlkaeN ; s4a.cc boyz ;) >Target : PHPDev 5 >URL : www.firepages.com.au - http://sourceforge.net/projects/phpdev5/ >Type : PHP/Apache/MySQL Server.. >>Details : i found that PHPDev creates 4 default users with "blank passwords".. @% : no privs. @localhost : full privs. & full control on all Databases.. root@% : full privs. & full control on all Databases.. root@localhost : full privs. & full control on all Databases.. >>Exploitin'9 : The Attacker may have the the full control on any database using PhpMyAdmin or any other database management software.. An Advanced Attacker may use the the privs. to execute malicuos SQL queries or download PHP-shells .....etc. >> Fixing : ** Change the Blank Passwords.. :\ That's All ..)) Sorry 4 my bad English $: # milw0rm.com [2005-03-11]