CVE-2006-0157

Name of the Vulnerable Software and Affected Versions Reamday Enterprises Magic News Plus version 1.0.3

Description The issue allows remote attackers to change the administrator password. This is achieved by specifying identical values for the passwd and admin password parameters in a change action, then declaring the new password string in the new passwd and confirm passwd parameters.

Recommendations For Reamday Enterprises Magic News Plus version 1.0.3, consider restricting access to the settings.php file to prevent unauthorized password changes until a fix is available. As a temporary workaround, avoid using the passwd and admin password parameters with identical values in change actions.