Sitenews PHP-Based Web News System Lets Remote Users Add User Accounts
|
|
SecurityTracker Alert ID: 1003498 |
|
SecurityTracker URL: http://securitytracker.com/id/1003498
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 10 2002
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 0.11, prior versions
|
Description:
A vulnerability was reported in Sitenews, a PHP-based news management tool. A remote user can add user accounts to the system.
It is reported that a remote user could add another user account without being logged. No further details were provided.
Ulf Harnhammar is credited with discovering this bug.
|
Impact:
A remote user can add a user account to the system.
|
Solution:
The vendor has released a fixed version (0.12), available at:
http://www.linuxnetwork.nl/download.php?what=download&dl_id=38
|
Vendor URL: www.linuxnetwork.nl/ (Links to External Site)
|
Cause:
Not specified
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 09 Feb 2002 23:06:57 -0500
Subject: Sitenews vulnerability
|
Sitenews 0.12 (Beta)
by JP Durman (http://freshmeat.net/users/johnnyplayer/)
Thursday, February 7th 2002 09:14
Internet :: WWW/HTTP :: Dynamic Content Internet :: WWW/HTTP :: Dynamic
Content :: CGI Tools/Libraries Internet :: WWW/HTTP :: Dynamic Content
:: News/Diary
About: Sitenews is a crossplatform, multi-user news management tool. You
can add, edit, or delete entire news messages, including pictures,
automatic date, etc.
Changes: A security problem was fixed. This problem allowed one to add a
user to the script without being logged by using an exploit. This hole
has been closed.
License: GNU General Public License (GPL)
URL: http://freshmeat.net/projects/sitenews/
|
|
