CVE-2002-0286 | Vulnerability Database | Aqua Security

The GetPassword function in function.php of SiteNews 0.10 and 0.11 allows remote attackers to gain privileges and add users by providing a non-existent user name and the MD5 checksum for an empty password to add_user.php, which causes GetPassword to produce and compare a blank password for the non-existent user.

Affected Software

Name	Vendor	Start Version	End Version
Sitenews	Sitenews	0.01_beta (including)	0.01_beta (including)
Sitenews	Sitenews	0.02_beta (including)	0.02_beta (including)
Sitenews	Sitenews	0.03_beta (including)	0.03_beta (including)
Sitenews	Sitenews	0.04_beta (including)	0.04_beta (including)
Sitenews	Sitenews	0.05_beta (including)	0.05_beta (including)
Sitenews	Sitenews	0.06_beta (including)	0.06_beta (including)
Sitenews	Sitenews	0.07_beta (including)	0.07_beta (including)
Sitenews	Sitenews	0.08_beta (including)	0.08_beta (including)
Sitenews	Sitenews	0.09_beta (including)	0.09_beta (including)
Sitenews	Sitenews	0.10_beta (including)	0.10_beta (including)
Sitenews	Sitenews	0.11_beta (including)	0.11_beta (including)

References

http://marc.info/?l=bugtraq\u0026m=101388393808699\u0026w=2
http://www.securityfocus.com/bid/4046
https://exchange.xforce.ibmcloud.com/vulnerabilities/8181
http://marc.info/?l=bugtraq\u0026m=101388393808699\u0026w=2
http://www.securityfocus.com/bid/4046
https://exchange.xforce.ibmcloud.com/vulnerabilities/8181

NVD	https://nvd.nist.gov/vuln/detail/CVE-2002-0286
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html