phpDEV5 - Remote Default Insecure Users

Author: Ali7
type: webapps
platform: php
port: 
date_added: 2005-03-10  
date_updated: 2016-04-28  
verified: 1  
codes:   
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comphpdev423_mod_perl.exe  

raw file: 873.txt  

------------------------------------------------------------------------
# PHPDev5 Remote Insecure Default Users & Passwords vuln.
# By : Ali7
# e-mail : ali7@hotmail.co.uk
# date : 09-03-2k5
# greetz : all my friends ; AlkaeN ; s4a.cc boyz ;)


>Target : PHPDev 5
>URL : www.firepages.com.au - http://sourceforge.net/projects/phpdev5/
>Type : PHP/Apache/MySQL Server..

>>Details : i found that PHPDev creates 4 default users with "blank passwords"..
@% : no privs.
@localhost : full privs. & full control on all Databases..
root@% : full privs. & full control on all Databases..
root@localhost : full privs. & full control on all Databases..

>>Exploitin'9 : The Attacker may have the the full control on any database using PhpMyAdmin or any other database management software..

An Advanced Attacker may use the the privs. to execute malicuos SQL queries or download PHP-shells .....etc.

>> Fixing :
** Change the Blank Passwords.. :\

That's All ..)) Sorry 4 my bad English $:

# milw0rm.com [2005-03-11]