|
Family: CGI abuses --> Category: infos
paNews Input Validation Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary Detects input validation vulnerabilities in paNews
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP application that suffers from
multiple flaws.
Description :
The remote host is running a version of paNews that suffers from the
following vulnerabilities:
- SQL Injection Issue in the 'login' method of includes/auth.php.
A remote attacker can leverage this vulnerability to add
users with arbitrary rights.
- Local Script Injection Vulnerability in includes/admin_setup.php.
A user defined to the system (see above) can inject arbitrary
PHP code into paNews' config.php via the 'comments' and
'autapprove' parameters of the 'admin_setup.php'
script.
See also :
http://www.kernelpanik.org/docs/kernelpanik/panews.txt
http://archives.neohapsis.com/archives/bugtraq/2005-03/0006.html
Solution :
Unknown at this time.
Threat Level:
High / CVSS Base Score : 7
(AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|