[VIM] phpjobboard Authecnical admin byPass (fwd)

security curmudgeon jericho at attrition.org
Sat Jun 17 02:42:14 EDT 2006


ISS X-Force 26807
http://archives.neohapsis.com/archives/bugtraq/2006-05/0560.html

8 pages of google show a single installation and the very last hit the 
(now defunct?) vendor page:

http://phpjobboard.sourceforge.net/
[DIR] Parent Directory        18-Nov-2002 05:48      -
Apache/1.3.33 Server at phpjobboard.sourceforge.net Port 80

The one installation http://www.moneyinstitute.com/phpjobboard/ which 
doesn't seem set up properly, as it shows index listing. Kind of amusing, 
the uploads directory has resumes in it. Requesting any of the three sub 
dirs in the modules/ directories gives path disclosures.

Following standard sourceforge hierarchy, 
http://sourceforge.net/projects/phpjobboard works:

PHP Job Board     Stats - Activity: 19.61% RSS
This project hopes to provide an open-source system that is similar to 
Monster.com. Project goals are 1) VERY simple install, and minimal 
requirements. This system will be support on any webserver platform that 
can run PHP, and it will work with any dat

But, checking the 'files' available:

http://sourceforge.net/project/showfiles.php?group_id=61962
No File Packages Defined
This project has not yet created any file release packages.

The files *are* available via CVS though:
http://phpjobboard.cvs.sourceforge.net/phpjobboard/phpjobboard/html/

---------- Forwarded message ----------
From: alp_eren at ayyildiz.org
To: bugtraq at securityfocus.com
Date: 25 May 2006 08:00:46 -0000
Subject: phpjobboard Authecnical admin byPass

SOFTWARE
==========
phpjobboard

DESCRIPTION:
============
job board administration bypass, and edit or add to new job.

example

http://[target]/phpjobboard or your path/admin.php?menu=job&adminop=job-edit&id=[item id]
============================================

greets iskorpitx(best),thehacker,metlak,shadow,tugra and all AYYILDIZ member.

#####damn with pkk terrorism, damn with terrorist people!
==========================================


More information about the VIM mailing list