Filename:sitenews-add.txt
Operating Systems:n/a
Service/Daemon:
Description:The function GetPassword in function.php returns an empty string when you ask for a non-existent username. This together with the fact that the program sends usernames in cleartext and passwords as MD5 sums, means that you can log in without an account by posting a non-existent username and the MD5 sum for an empty string as the password. SiteNews has no concept of user levels, so once you are in, you have full control over all news items and all users. |
|