Vulnerability Assessment & Network Security Forums



If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important.  If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery.


Home >> Browse Vulnerability Assessment Database >> CGI abuses >> x-news 1


Vulnerability Assessment Details

x-news 1

Vulnerability Assessment Summary
Check if version of x-news 1.x is installed

Detailed Explanation for this Vulnerability Assessment

Summary :

The remote web server contains a PHP application that is prone to
information disclosure.

Description :

X-News is a news management system, written in PHP. X-News uses a
flat-file database to store information. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

X-News stores user ids and passwords, as MD5 hashes, in a world-
readable file, 'db/users.txt'. This is the same information that is
issued by X-News in cookie-based authentication credentials. An
attacker may incorporate this information into cookies and then submit
them to gain unauthorized access to the X-News administrative account.

See also :

http://www.ifrance.com/kitetoua/tuto/x_holes.txt

Solution :

Deny access to the files in the 'db' directory through the webserver.

Network Security Threat Level:

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)

Networks Security ID: 4283

Vulnerability Assessment Copyright: This script is Copyright (C) 2004 Audun Larsen

Cables, Connectors

Apple Xserve 3,1 A1279 2x 4 Core Xeon 2.26GHz 32GB RAM 6tb HDD 64gb SSD
$180.0
Apple Xserve 3,1 A1279 2x 4 Core Xeon 2.26GHz 32GB RAM 6tb HDD 64gb SSD pictureDELL POWEREDGE C2100 SERVER E5640 2.66GHZ 24GB 6 X 146GB 10K SAS
$1469.0
DELL POWEREDGE C2100 SERVER E5640 2.66GHZ 24GB 6 X 146GB 10K SAS pictureDELL POWEREDGE R430 SERVER E5-2650LV3 1.8GHZ 128GB 3 X 1TB H730
$3639.0
DELL POWEREDGE R430 SERVER E5-2650LV3 1.8GHZ 128GB 3 X 1TB H730 pictureHP PROLIANT DL580 G7 SERVER TWO E7-4870 2.40GHZ 32GB 4 X 146GB 15K
$1219.0
HP PROLIANT DL580 G7 SERVER TWO E7-4870 2.40GHZ 32GB 4 X 146GB 15K picture


Discussions

No Discussions have been posted on this vulnerability.