Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: bt887.txt

Fusen News 3.3 Account Add Vulnerability

Author: DarkKnight

My site:

Product: Fusen News 3.3 (maybe lower)

Side Note: This vulnerability is for an OLD VERSION of Fusen News. The 

only reason I'm posting this is because I still see people using Fusen 

News 3.3.

Vendors: Not contacted (Upgrade available with fix)

A vulnerability exists in Fusen News 3.3 that allows attackers to add 

accounts with admin or normal privlidges. If an account is added, the 

attacker will be able to modify news, post news, delete/add accounts, 

etc. When adding accounts, Fusen News 3.3 does not perform a login check, 

allowing anyone to add accounts through a direct URL.

A sample is listed below



The above URL would add the account "DarkKnight" with the 

password "123456" and the email "EMAIL@EMAIL.COM" with Administrator 

abilities to the account list.

The vendor has already made upgrades for Fusen News 3.3 so to fix the 

vulnerability just upgrade. Besides, Fusen News 3.6 looks hot.

The two people who deserve credit for this vulnerability are: Fusen and 

DarkKnight [me :)]

Want great hosting? Get it at

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH