I found a bug in artmedic Newsletter 4.1 (proably even in newer versions) which lets an attacker run arbitrary php-code and bypass the password protection.
The reason for this is mistake in design.
Usually the log.php is included and $logfile,$logtime and $email are declared in the parent document. If we run "log.php?logfile=anyfile.anyext&logtime=unixtimestamp>0&email=<-- insert php code here -->" we get a file anyfile.anyext with following content:
unixtimestamp&&date&&user.host&&user.ip&&<-- php code -->&&
a simple example to reveal the admin pw Hash is
just launch info.php?cur=include.php and you will see it.
to kill the entry type:
vendor has not yet been informed, but he will be as soon as possible ...