Site News Authentication Error May Let Local Users Add Messages
SecurityTracker Alert ID: 1011159
SecurityTracker URL: http://securitytracker.com/id?1011159
Date: Sep 5 2004
Impact: Modification of user information
Exploit Included: Yes
Version(s): 1.1
Description: A vulnerability was reported in Site News. A local user can add
or edit news items.
LwB Security Team reported that a local user can invoke the script to add or
edit messages without having to authenticate as an administrator.
A demonstration exploit is provided:
sitenews.cgi?update\?oldsubject=OLD_SUBJ&subject=NEW_SUBJ&name=ANY_NAME&issue=ISSUE&message=MESSAGE
Impact: A local user can add or edit messages on Site News.
Solution: No solution was available at the time of this entry.
Vendor URL: www.utilmind.com/scripts/sitenews.html (Links to External Site)
Cause: Authentication error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)