| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030815052849.9290.qmail@www.securityfocus.com> Date: 15 Aug 2003 05:28:49 -0000 From: DarkKnight <mbuzz04@...oo.com> To: bugtraq@...urityfocus.com Subject: Fusen News 3.3 Account Add Vulnerability Author: DarkKnight My site: http://www.insecureonline.com Product: Fusen News 3.3 (maybe lower) Side Note: This vulnerability is for an OLD VERSION of Fusen News. The only reason I'm posting this is because I still see people using Fusen News 3.3. Vendors: Not contacted (Upgrade available with fix) A vulnerability exists in Fusen News 3.3 that allows attackers to add accounts with admin or normal privlidges. If an account is added, the attacker will be able to modify news, post news, delete/add accounts, etc. When adding accounts, Fusen News 3.3 does not perform a login check, allowing anyone to add accounts through a direct URL. A sample is listed below http://www.website.com/FusenNews/? id=signup&username=DarkKnight&email=EMAIL@...IL.COM+&password=123456&icon= &le=3 The above URL would add the account "DarkKnight" with the password "123456" and the email "EMAIL@...IL.COM" with Administrator abilities to the account list. The vendor has already made upgrades for Fusen News 3.3 so to fix the vulnerability just upgrade. Besides, Fusen News 3.6 looks hot. The two people who deserve credit for this vulnerability are: Fusen and DarkKnight [me :)] Want great hosting? Get it at http://www.onlinehoster.com
Powered by blists - more mailing lists