This is just an update of one of my previous threads. I have done some research and it is very well possible that Allmanage can crash your server. Not directly however, anyone can upload and chmod any file through the admin! And they can get the admin password in less than a second. Anyone.

-------------------------------------------------------------------------------- vulnerability
Websites using 'Allmanage Website Administration Software 2.6 WITH the upload ability', and maybe earlier versions, contain a vulnerability which gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script. Go instead of / to / (extension can be .cgi eventually). You'll get into the "Upload Successful! page" and press on the 'Return To Filemanager'-button. Now you'll get into the Root Directory. From here you can add, change, delete user-accounts and change the contents of the directory main page. This vulnerability is only tested with the Perl version of the script on 9 different sites, all were vulnerable, and it is not tested with the MySQL version and earlier releases.

-------------------------------------------------------------------------------- Admin Password vulnerability
Everybody can easily get the admin password from the allmanage directory. You are able to set/change lots of variables, add accounts, mail users, backup, restore, edit header/footer code etc... Find were is located and change with K. For example: allmanage/ will become allmanage/k. This file contains the admin password, not encrypted. Go to instead of and login. You can use admin as loginname. Now you're in the main admin panel. N.B. loginname is not always admin, but in most of the cases it is. That is tried on 8 sites using 6 of them were vulnerable. Other interesting files to request: adp : Admin information and encrypted password userfile.dat: All user information they entered requesting their account. (N.B. not always there) settings.cfg: Config file, you can get the same information out of the admin panel. This may also work on the version without the upload ability.

Also if that is not enough to deter you from allowing allmanage on your servers look at this: (thanks to a fellow WHT user for the link)

Just thought I would help a few other hosts out because this software has some serious vulnerabilities.

Best Regards,
Travis Rowland