Product: Account Manager Versions: ALL including LITE and PRO haven't been able to test ENTERPRISE Vendor: Notified, http://www.cgiscriptcenter.com/ The Problem: The Script allows any remote user access to the Administration Control Panel through overwriting the Admin Password with one of their own making :). This is possible since the script parses the inputted data with total disregard for whether the current user has Admin priveleges. Therefore calling www.server.com/cgibin/amadmin.pl?setpasswd using a POST command would allow the password to be altered. Using this exploit would give a remote user access to add and remove users from protected areas of your website perphaps to other more interesting CGI's ;P. Exploit: See above. Patches: There shouldn't have been a hole in the first place, somehow i suspect the patch will be very fast in arriving :). n30@alldas.de www.alldas.de