NewsPHP file upload
| newsphp-file-upload (15838) |  Medium Risk |
Description:
NewsPHP could allow a remote attacker, with administrative privileges, to upload malicious files to the system.
Consequences:
Gain Access
Remedy:
Reportedly, this vulnerability is fixed in the latest version of NewsPHP (dated April 15, 2004 or later). See BugTraq Mailing List, Thu Apr 15 2004 - 15:31:30 CDT for more information.
References:
- BugTraq Mailing List, Thu Apr 15 2004 - 15:31:30 CDT: Re: XSS, Admin Access via Cookie and File Upload vulnerability in NewsPHP..
- CVE-2004-2690: Unrestricted file upload vulnerability in the Administration Panel for NewsPHP allows remote authenticated administrators to upload and execute arbitrary code instead of video files.
- OSVDB ID: 5263: NewsPHP Admin Panel Arbitrary File Upload
- SECTRACK ID: 1009740: NewsPHP Authentication Flaw Lets Remote Users Gain Administrative Access
Platforms Affected:
- NewsPHP.com NewsPHP
Reported:
Apr 13, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this