Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Advanced Poll Vendors:   Chi Kien Uong
Advanced Poll PHP-based Voting/Polling Software Gives Remote Users Administrative Access to the Application
SecurityTracker Alert ID:  1002516
SecurityTracker URL:
CVE Reference:   CVE-2001-1423   (Links to External Site)
Updated:  May 22 2009
Original Entry Date:  Oct 10 2001
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.6; possibly earlier versions
Description:   A vulnerability was reported in Advanced Poll, a PHP-based voting/polling system. In a certain configuration, it allows a remote user to gain administrative privileges within the application.

It is reported that when a flat file database is used, a remote user can obtain administrative access to the application by supplying the administrative username in a query string, as follows:


Impact:   A remote user can gain administrative access to the application.
Solution:   The vendor has released a fixed version (1.61). It is available from the Vendor URL.
Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Application is PHP code that can run on many operating systems.

Message History:   None.

 Source Message Contents

Subject:  Advanced Poll Script

Advanced Poll is a polling system written in PHP by,
versions older than 1.61 and that use the flat file DB version are
to unauthorized remote adminitration. Contacted vendor and this hole has
been fixed in 1.61

Remote access to the adminitration can be gained by supplying the
the adminitrative username in the query string:


Derek Comartin


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC