PT News Unauthorized Administrative Access

medium Nessus Plugin ID 11589

Language:

Synopsis

Information managed by the remote service can be modified or erased.

Description

The remote host is using the PT News management system.

There is a flaw in this version which allows anyone to execute arbitrary admnistrative PTnews command on this host (such as deleting news or editing a news) without having to know the administrator password.

An attacker may use this flaw to edit the content of this website or even to delete it completely.

Solution

Upgrade to PT News 1.7.8 or newer.

Plugin Details

Severity: Medium

ID: 11589

File Name: ptnews_admin.nasl

Version: 1.14

Type: remote

Family: CGI abuses

Published: 5/7/2003

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Reference Information

BID: 7394

Detections

Analytics