COMMAND

    Allmanage Website Administration

SYSTEMS AFFECTED

    Allmanage Website Administration Software  2.6

PROBLEM

    'bighawk'  found  following.   Everybody can easily get the  admin
    password from the allmanage directory.  You are able to set/change
    lots of variables, add accounts, mail users, backup, restore, edit
    header/footer code etc..  It's really easy to get:

        - Find  were allmanage.pl  is located  and change allmanage.pl
          with K.   For example:   allmanage/allmanage.pl will  become
          allmanage/k.   This file  contains the  admin password,  not
          encrypted.
        - Go to allmanage_admin.pl instead of allmanage.pl and  login.
          You can use admin as loginname.
        - Now you're in the main admin panel.

    N.B. login name is not always  admin, but in most of the  cases it
         is.

    Other interresting files to request:

        - adp : Admin information and encrypted password
        - userfile.dat : All user information they entered  requesting
          their account. (N.B. not always there)
        - settings.cfg : Config file, you can get the same information
          out of the admin panel.

    This may also work on the version without the upload ability.

SOLUTION

    Nothing yet.