Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   NewsPHP ( Vendors:   newsPHP Development Team
NewsPHP Input Validation Flaw Lets Remote Users Gain Administrator Privileges on the Application
SecurityTracker Alert ID:  1006912
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 3 2003
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 216
Description:   Peter Winter-Smith of Team UEC reported a vulnerability in NewsPHP. A remote user can obtain certain administrator privileges.

It is reported that a remote user can inject arbitrary information in the 'email address' field to gain low-level user administrator privileges.

The report indicates that the software does not filter a delimeter string '<~>' from user-supplied input before writing the information to the database file. A remote user can create a specially crafted e-mail address that includes this delimeter string to modify the database file to assign admin privileges to that e-mail address.

Vendor notification was reportedly returned by the vendor's e-mail system.

Impact:   A remote user can gain administrator privileges on the application.
Solution:   No solution was available at the time of this entry.

[Editor's note: The vendor's web site indicates that development of NewsPHP has stopped in favor of a new project, NewsPHP Advanced.

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Arbitrary Field Injection Vulnerability in NewsPHP v216

Arbitrary Field Injection Vulnerability in NewsPHP v216


In NewsPhp it is possible to inject an arbitrary field into the 'email
address' field which would give a low-level user administrator privileges.
This would be accomplished as follows.
A regular user section of the 'nconf.php' file looks similar to the


Whereby "<~>" is the delimiter for the data.
There doesn't appear to be any procedure to check that the 'email address'
field is not changed to include the delimiter and any arbitrary data fed
into it, so therefore the database could be altered in such a way that the
'1' (regular account) of the 'Guest' user, could be changed into a '5'
(admin account).

This could mean that the regular user could be ... A nuisance if nothing

I personally could not get the script to run (I've seen it working on other
sites though) however I gave the code a thorough check before I released
this vulnerability, so apologies if anything here is not exact, however I'm
sure that it should be.


Operating system and servicepack level:
Windows/Linux/Unix + PHP

NewsPHP v216

Under what circumstances the vulnerability was discovered:
Under a vulnerability search.

If the vendor has been notified:
The vendor does not appear to be supporting the product ... My email was
returned :o|

How to contact you for further information:
I can always be reached at

Please credit this find to:
Peter Winter-Smith of Team UEC

Thank you for your time,

Hotmail messages direct to your mobile phone


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC