|
|
CVE Reference: CVE-2006-3935 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2006-3935 |
|
|
Description: system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp. |
|
|
CVE Status: Candidate |
|
|
References: XF http://xforce.iss.net/xforce/xfdb/28003 http://xforce.iss.net/xforce/xfdb/28026 http://xforce.iss.net/xforce/xfdb/27996 http://xforce.iss.net/xforce/xfdb/28031 http://xforce.iss.net/xforce/xfdb/28010 http://xforce.iss.net/xforce/xfdb/28036 SREASON http://securityreason.com/securityalert/1302 SAID Secunia Advisory: SA21193 MISC http://www.opencms.org/opencms/en/shownews.html?id=1002 http://www.opencms.org/export/download/opencms/opencms_6.2.2_src.zip http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/441182/100/0/threaded |
|
| Return to the previous page. |
