PT-2009-2134 · Sh News · Sh-News
Hadihadi
·
Published
2009-04-08
·
Updated
2024-02-14
·
CVE-2008-6664
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
SH-News version 3.0
Description
The issue allows remote attackers to bypass authentication and gain administrator privileges. This is achieved by setting the
shuser and shpass cookies to non-zero values in the 'action.php' file.Recommendations
For SH-News version 3.0, consider temporarily restricting access to the 'action.php' file until a patch is available. As a workaround, avoid using non-zero values for the
shuser and shpass cookies to minimize the risk of exploitation.Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sh-News