AP Newspower software <=4.0.1 allows remote data manipulation

Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Complete
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AP Newspower is commercial software available from the AP that allows media outlets to obtain text news feeds from the Associated Press. It's like RSS, but you pay for it. And it's slower. And fatter. The default install of this software includes a MySQL instance which stores the feeds as well as copy created by the local media outlet. This MySQL database is configured to allow remote access as root with a blank password. A person so inclined upon finding such a box could, say, insert an article of their own into shows.tblscript and make their own news. Or remotely censor the news, or, ... Oh noes! The AP has been alerted of this issue, and has said they are not interested in fixing it. - ----- I wonder if they bought a MySQL license, or if they are using it under the GPL license. Their web page (http://www.apbroadcast.com/AP+Broadcast/Radio/Prep+Services/AP+News Power.htm) certainly makes no mention of where to obtain the source. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkZAk5YACgkQXsHJpAi2fRe4yQQAi6fDHuQRX0K8IW3Q4Th02D+EBxRM JFGigWB7d6YsOkrwb2zCqpRwDKImoh/Y8OMZGVIoH4uwCAAYJzrRTPZh2I4xnrRFjtip 2kudDllCrlKor4XYuk9WOtJEOcHojZaczwOuNkLL2RsFE7uyTL8kAD3PiTsbxaPCVdZL k3DZEb4= =dVFH -----END PGP SIGNATURE----- -- Click here to refinance your mortgage. Low rates, approval in minutes. http://tagline.hushmail.com/fc/CAaCXv1QYGKA65kmHH2830bl8uE0ZUIN/

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com


Back to Top