PT-2009-5114 · Opennews · Opennews

Sirgod

·

Published

2009-08-11

·

Updated

2017-09-19

·

CVE-2009-2735

CVSS v2.0

6.8

Medium

VectorAV:N/AC:M/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions OpenNews version 1.0
Description The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the username parameter in the "admin.php" file when magic quotes gpc is disabled.
Recommendations For OpenNews version 1.0, consider disabling the use of the username parameter in the admin.php file until a patch is available, or enable magic quotes gpc to prevent SQL injection attacks.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2009-2735

Affected Products

Opennews