header-logo
Suggest Exploit
vendor:
x-news
by:
bd0rk
7,5
CVSS
HIGH
Password Disclosure
200
CWE
Product Name: x-news
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: NO
Related CWE: N/A
CPE: a:xqus:x-news
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

x-news 1.1 Password Disclosure Vulnerability

A vulnerability exists in x-news 1.1 which allows an attacker to view the usernames, MD5 hashes, and emails of all users registered on the system. This is done by accessing the users.txt file located in the news/db directory of the x-news installation. The file contains a list of all users registered on the system in the format of username|MD5-Hash|eMail.

Mitigation:

Ensure that the users.txt file is not accessible from the web server.
Source

Exploit-DB raw data:

                           x-news 1.1 Password Disclosure Vulnerability


Affected Software: x-news 1.1

x-news Website: http://xqus.com

Bugfounder: bd0rk

Website: www.soh-crew.it.tt

Contact: bd0rk[at]hackermail.com

Greetings: str0ke, Perle, TheJT, ajann

[+]Exploit: http://[target]/[x_news_path]/news/db/users.txt

Showexample: |username|MD5-Hash|eMail|

# milw0rm.com [2006-12-30]

Navigation

Suggest Exploit

Services By CQR