Arbitrary PHP Code Injection in paNews 2.0.4b via admin_setup.php

Arbitrary PHP Code Injection in paNews 2.0.4b via admin_setup.php

CVE-2005-0647 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

admin_setup.php in paNews 2.0.4b allows remote attackers to inject arbitrary PHP code via the (1) $form[comments] or (2) $form[autoapprove] parameters, which are written to config.php.

Learn more about our Web Application Penetration Testing UK.