A vulnerability in Site News 1.1 allows anyone to add or edit messages without having to authenticate as an administrator.
39cea13c47358c2b6933639b7295d599ae3cf5c206e8a98078b149883e80e73c
SecurityTracker Alert ID: 1011159
SecurityTracker URL: https://securitytracker.com/id?1011159
Date: Sep 5 2004
Impact: Modification of user information
Exploit Included: Yes
Version(s): 1.1
Description: A vulnerability was reported in Site News. A local user can add or edit news items.
LwB Security Team reported that a local user can invoke the script to add or edit messages without having to authenticate as an administrator.
A demonstration exploit is provided:
sitenews.cgi?update\?oldsubject=OLD_SUBJ&subject=NEW_SUBJ&name=ANY_NAME&issue=ISSUE&message=MESSAGE
Impact: A local user can add or edit messages on Site News.
Solution: No solution was available at the time of this entry.
Vendor URL: www.utilmind.com/scripts/sitenews.html (Links to External Site)
Cause: Authentication error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)