PT-2006-1236 · Reamday Enterprises · Magic News Plus

Published

2006-01-10

Updated

2008-09-05

CVE-2006-0157

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Reamday Enterprises Magic News Plus version 1.0.3

Description The issue allows remote attackers to change the administrator password. This is achieved by specifying identical values for the passwd and admin password parameters in a change action, then declaring the new password string in the new passwd and confirm passwd parameters.

Recommendations For Reamday Enterprises Magic News Plus version 1.0.3, consider restricting access to the settings.php file to prevent unauthorized password changes until a fix is available. As a temporary workaround, avoid using the passwd and admin password parameters with identical values in change actions.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-0157

Affected Products

Magic News Plus

PT-2006-1236 · Reamday Enterprises · Magic News Plus

CVE-2006-0157

Related Identifiers

Affected Products

References · 5