Missing Authentication for Critical Function
CVE-2009-1780
Summary
admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters.
- LOW
- NETWORK
- NONE
- PARTIAL
- PARTIAL
- PARTIAL
CWE-306 - Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
References
Advisory Timeline
- Published