Phase:clogin.php in Benchmark Designs' WHM AutoPilot 2.4.5 and earlier allows remote attackers to obtain plaintext username and password credentials by using the clogin_e and base64_encode functions to encode the desired user ID in the c parameter, then read the plaintext values in the resulting form.
ReferencesFULLDISC:Monday, August 02, 2004 Benchmark Designs' WHM Autopilot backdoor vulnerability to plain-text password. | URL:http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1310.html | BID:10846 | URL:http://www.securityfocus.com/bid/10846 | OSVD
Votes:Assigned (Tuesday, October 25, 2005)
Comments:None (candidate not yet proposed)
F7: