LaNewsFactory Multiple Input Validation Vulnerabilities
BID:39775
Info
LaNewsFactory Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 39775 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 19 2010 12:00AM |
| Updated: | Apr 19 2010 12:00AM |
| Credit: | Salvatore Fresta |
| Vulnerable: |
Christophe Brocas LaNewsFactory 1.0 |
| Not Vulnerable: | |
Discussion
LaNewsFactory Multiple Input Validation Vulnerabilities
LaNewsFactory is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include an open-email-relay issue, an arbitrary file-overwrite issue, and multiple local file-include issues.
Exploiting these issues can allow an attacker to overwrite arbitrary local files, obtain potentially sensitive information, execute arbitrary local scripts in the context of the webserver process, or send unsolicited spam to an unrestricted amount of email addresses from a forged email address. Other attacks may also be possible.
LaNewsFactory 1.0.0 is vulnerable; other versions may be affected.
LaNewsFactory is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include an open-email-relay issue, an arbitrary file-overwrite issue, and multiple local file-include issues.
Exploiting these issues can allow an attacker to overwrite arbitrary local files, obtain potentially sensitive information, execute arbitrary local scripts in the context of the webserver process, or send unsolicited spam to an unrestricted amount of email addresses from a forged email address. Other attacks may also be possible.
LaNewsFactory 1.0.0 is vulnerable; other versions may be affected.
Exploit / POC
LaNewsFactory Multiple Input Validation Vulnerabilities
An attacker can exploit these issues via a browser.
An attacker can exploit these issues via a browser.
Solution / Fix
LaNewsFactory Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
LaNewsFactory Multiple Input Validation Vulnerabilities
References:
References:
- LaNewsFactory Homepage (Christophe Brocas)