Bugtraq mailing list archives

Re: PTNews v1.7.7 - Access to administrator functions without authentification

From: "Rui Pimenta" <rui.pimenta () mail telepac pt>
Date: Tue, 29 Apr 2003 13:57:05 +0100

Update: 

Create News: URL Exploitable
Replace Nnews: URL Exploitable
Edit News: URL Exploitable

It's just a matter of learning the indexing structures.


----- Original Message ----- 
From: "scrap" <webmaster () securiteinfo com>
To: <bugtraq () securityfocus com>
Sent: Monday, April 21, 2003 9:49 PM
Subject: PTNews v1.7.7 - Access to administrator functions without authentification


[snip]

Function / URL :
Create a news / Not an URL : only posted datas. Not impossible to exploit :)
Replace a news / Not an URL : only posted datas. Not impossible to exploit :)
Delete all news / http://www.victim.com/ptnews/ index.php?delete=all
Edit a news / Too difficult to exploit

http://www.openbg.net/ptsite/

Current thread:

PTNews v1.7.7 - Access to administrator functions without authentification scrap (Apr 21)
- Re: PTNews v1.7.7 - Access to administrator functions without authentification Rui Pimenta (Apr 29)