Description - PHP Exec and Data Modification in Magic News Lite
Multiple Vulnerabilities found in Magic News Lite script.
- Exploit
- Available
- Solution
- Not available - check Reamday Enterprises website
1. PHP Code Execution
Vulnerable script: preview.php
Variable $php_script_path is not initialized before being used in include(). This can be used to execute arbitrary php code.
Condition: register_globals = ON
2. Unauthorized Data Modification
Vulnerable script: profile.php
Variables $action $passwd $admin_password $new_passwd $confirm_passwd are not initialized and their values can be replaced by user-defined data. This can be used to make unauthorized modifications in config.php
Condition: register_globals = ON
Order Source Code Audit
Prevent attacks by source code review of your site or web application done by our team.The order will be done by experts in website security.