Re: PTNews v1.7.7 - Access to administrator functions without authentification
From: Rui Pimenta (rui.pimenta_at_mail.telepac.pt)
Date: 04/29/03
- Previous message: Mandrake Linux Security Team: "MDKSA-2003:052 - Updated snort packages fix remote vulnerability"
- In reply to: scrap: "PTNews v1.7.7 - Access to administrator functions without authentification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <bugtraq@securityfocus.com> Date: Tue, 29 Apr 2003 13:57:05 +0100
Update:
Create News: URL Exploitable
Replace Nnews: URL Exploitable
Edit News: URL Exploitable
It's just a matter of learning the indexing structures.
----- Original Message -----
From: "scrap" <webmaster@securiteinfo.com>
To: <bugtraq@securityfocus.com>
Sent: Monday, April 21, 2003 9:49 PM
Subject: PTNews v1.7.7 - Access to administrator functions without authentification
[snip]
Function / URL :
Create a news / Not an URL : only posted datas. Not impossible to exploit :)
Replace a news / Not an URL : only posted datas. Not impossible to exploit :)
Delete all news / http://www.victim.com/ptnews/ index.php?delete=all
Edit a news / Too difficult to exploit
http://www.openbg.net/ptsite/
- Previous message: Mandrake Linux Security Team: "MDKSA-2003:052 - Updated snort packages fix remote vulnerability"
- In reply to: scrap: "PTNews v1.7.7 - Access to administrator functions without authentification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
