| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040905203247.30552.qmail@www.securityfocus.com> Date: 5 Sep 2004 20:32:47 -0000 From: "Jérôme" ATHIAS <jerome.athias@...amail.com> To: bugtraq@...urityfocus.com Subject: Site News Authentication Error May Let Local Users Add Messages SecurityTracker Alert ID: 1011159 SecurityTracker URL: http://securitytracker.com/id?1011159 Date: Sep 5 2004 Impact: Modification of user information Exploit Included: Yes Version(s): 1.1 Description: A vulnerability was reported in Site News. A local user can add or edit news items. LwB Security Team reported that a local user can invoke the script to add or edit messages without having to authenticate as an administrator. A demonstration exploit is provided: sitenews.cgi?update\?oldsubject=OLD_SUBJ&subject=NEW_SUBJ&name=ANY_NAME&issue=ISSUE&message=MESSAGE Impact: A local user can add or edit messages on Site News. Solution: No solution was available at the time of this entry. Vendor URL: www.utilmind.com/scripts/sitenews.html (Links to External Site) Cause: Authentication error Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Powered by blists - more mailing lists