CVE-2002-0286

Name of the Vulnerable Software and Affected Versions SiteNews versions 0.10 through 0.11

Description The issue allows remote attackers to gain privileges and add users by exploiting the GetPassword function in function.php. This is done by providing a non-existent user name and the MD5 checksum for an empty password to the add user.php endpoint, causing the GetPassword function to produce and compare a blank password for the non-existent user.

Recommendations For SiteNews versions 0.10 through 0.11, as a temporary workaround, consider disabling the GetPassword function until a patch is available. Restrict access to the add user.php endpoint to minimize the risk of exploitation. Avoid using the add user.php endpoint with non-existent user names until the issue is resolved.