------------------------------------------------------------------ - EXPL-A-2003-004 exploitlabs.com Advisory 004 ------------------------------------------------------------------ -= BookCMS =- 06/05/03 Donnie Werner http://exploitlabs.com http://frame4.com Vunerability(s): ---------------- 1.Remote Default Administrator Password Product: -------- BookCMS Content Management System http://www.bookman.nl/bookcms/ "BookCMS is a very easy to install browser-based Content Management System. After installing the Perl-scripts on a webserver, BookCMS allows you to add, delete and edit "wysiwyg" HTML files." What you need is: Client: Internet Explorer 5.5 or newer. Webserver: Perl Affected Versions: ------------------ All through BookCMS 1.6 ( current ) Download: --------- http://www.bookman.nl/bookcms/download/bookcms.zip http://www.zone-h.org/download/file=1464/ VUNERABILITY / EXPLOIT ====================== Remote: ------- Default Settings... Remote admin. Password = admin (hint) Read http://www.bookman.nl/bookcms/help.html as well this provides for include I am sure thats not very smart at all. Sample Vunerable Public Hosts: ----------------------- http://www.neworleansbowl.org http://80.197.187.110 Exploit Code: ------------- none needed Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- BookCMS@bookman.nl Concurrent with this advisory Credits: -------- Donnie Werner http://exploitlabs.com "were finding your holes"