COMMAND

    Allmanage Website Administration

SYSTEMS AFFECTED

    Allmanage Website Administration Software  2.6

PROBLEM

    'bighawk'  found  following.   Websites  using  'Allmanage Website
    Administration Software  2.6 WITH  the upload  ability', and maybe
    earlier versions  , contain  a vulnerability  wich gives  you full
    add/del/change access in the user-account directories and you  can
    change the files in the main directory of the CGI script.

    Go instead of /allmanage.pl  to /allmanageup.pl (extension can  be
    .cgi eventually).  You'll  get into the "Upload  Successful! page"
    and press on the 'Return  To Filemanager'-button.  Now you'll  get
    into the  Root Directory.  From here  you can  add, change, delete
    user-accounts and change the contents of the directory main page.

    This vulnerability  is only  tested with  the Perl  version of the
    script on 9  different sites, all  were vulnerable, and  it is not
    tested with the MySQL version and earlier releases.

    Allmanage  is  freeware  (www.prowebpages.com)  and distributed on
    several  CGI-resource-sites  which  indicates  that  the script is
    widespread, not sure.

SOLUTION

    Nothing yet.