https://www.exploit-db.com/exploits/24672
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1093

DUwareDUclassmate1.0到1.1版本的account.asp存在漏洞。远程攻击者可以通过修改“MyAccount”页面上的MM_recordId参数修改任意用户的密码。

source: http://www.securityfocus.com/bid/11363/info
 
Multiple vulnerabilities have been identified in the software that may allow a remote attacker to carry out SQL injection and HTML injection attacks. An attacker may also gain unauthorized access to a user's account.
 
DUclassmate may allow unauthorized remote attackers to gain access to a computer.
 
DUclassified is reported prone to multiple SQL injection vulnerabilities.
 
SQL injection issues also affect DUforum.
 
DUclassified and DUforum are also reported vulnerable to various unspecified HTML injection vulnerabilities.
 

<input type="hidden" name="MM_recordId" value="[Your ID Number]">

来源:XF
名称:duclassmate-password-modification(17682)
链接:http://xforce.iss.net/xforce/xfdb/17682
来源:SECTRACK
名称:1011597
链接:http://www.securitytracker.com/alerts/2004/Oct/1011597.html
来源:BID
名称:11363
链接:http://www.securityfocus.com/bid/11363
来源:OSVDB
名称:10663
链接:http://www.osvdb.org/10663