çSettings form is password-protected
¼i.e.:
“/user_accounts.html”
çHowever, CGI script is
publicly available
¼Can
be identified in settings form’s ‘action’ attribute
çAttacker can change
settings without password
¼Add
new admin account
¼Enable
remote admin access
¼Disable
security settings
¼
¼