pnews.txt

`Admin Access Vulnerability in P-News 1.6  
  
Url: http://www.ppopn.net  
  
It is possible to gain admin access if you possess a 'Member'  
account due to a flaw in the 'p-news.php' file.  
You can inject an entire arbitrary account, including all the fields, into   
the 'Name' field, which will push all the restricting details to the far end   
of the data string, not allowing them to be included in the login process.  
Below is an example of a normal database:  
  
Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|[email protected]|-|  
Peter|-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|[email protected]|-|  
  
Notice the '0' denotes an 'admin' account, and the '2' denotes a 'member'   
account.  
Injecting:  
  
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|[email protected]|-|  
  
Into the 'Name' field in the edit account information section will give the   
malicious user admin privileges.  
The database then looks like:  
  
Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|[email protected]|-|  
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|[email protected]|-||-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|[email protected]|-|  
  
================================================================  
  
Operating system and servicepack level:  
Windows/Linux/Unix + PHP  
  
Software:  
P-News 1.16 (possibly 1.17)  
  
Under what circumstances the vulnerability was discovered:  
Under a vulnerability search.  
  
If the vendor has been notified:  
The vendor has not been notified because he does not speak English, so much   
confusion may arise.  
  
How to contact you for further information:  
I can always be reached at [email protected]  
  
Please credit this find to:  
Peter Winter-Smith of Team UEC  
  
Thank you for your time,  
-Peter  
  
_________________________________________________________________  
Sign-up for a FREE BT Broadband connection today!   
http://www.msn.co.uk/specials/btbroadband  
  
`