Vulnerability

    Allmanage Website Administration

Affected

    Allmanage Website Administration Software  2.6

Description

    'bighawk'  found  following.   Everybody can easily get the  admin
    password from the allmanage directory.  You are able to set/change
    lots of variables, add accounts, mail users, backup, restore, edit
    header/footer code etc..  It's really easy to get:

        - Find  were allmanage.pl  is located  and change allmanage.pl
          with K.   For example:   allmanage/allmanage.pl will  become
          allmanage/k.   This file  contains the  admin password,  not
          encrypted.
        - Go to allmanage_admin.pl instead of allmanage.pl and  login.
          You can use admin as loginname.
        - Now you're in the main admin panel.

    N.B. login name is not always  admin, but in most of the  cases it
         is.

    Other interresting files to request:

        - adp : Admin information and encrypted password
        - userfile.dat : All user information they entered  requesting
          their account. (N.B. not always there)
        - settings.cfg : Config file, you can get the same information
          out of the admin panel.

    This may also work on the version without the upload ability.

Solution

    Nothing yet.