SecurityTracker Alert ID: 1011159 SecurityTracker URL: http://securitytracker.com/id?1011159 Date: Sep 5 2004 Impact: Modification of user information Exploit Included: Yes Version(s): 1.1 Description: A vulnerability was reported in Site News. A local user can add or edit news items. LwB Security Team reported that a local user can invoke the script to add or edit messages without having to authenticate as an administrator. A demonstration exploit is provided: sitenews.cgi?update\?oldsubject=OLD_SUBJ&subject=NEW_SUBJ&name=ANY_NAME&issue=ISSUE&message=MESSAGE Impact: A local user can add or edit messages on Site News. Solution: No solution was available at the time of this entry. Vendor URL: www.utilmind.com/scripts/sitenews.html (Links to External Site) Cause: Authentication error Underlying OS: Linux (Any), UNIX (Any), Windows (Any)