BugTraq
AP Newspower software <=4.0.1 allows remote data manipulation May 08 2007 03:16PM
gobbles_fo_evar hushmail com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AP Newspower is commercial software available from the AP that
allows media outlets to obtain text news feeds from the Associated
Press. It's like RSS, but you pay for it. And it's slower. And
fatter.

The default install of this software includes a MySQL instance
which stores the feeds as well as copy created by the local media
outlet. This MySQL database is configured to allow remote access
as root with a blank password. A person so inclined upon finding
such a box could, say, insert an article of their own into
shows.tblscript and make their own news. Or remotely censor the
news, or, ... Oh noes!

The AP has been alerted of this issue, and has said they are not
interested in fixing it.

- -----

I wonder if they bought a MySQL license, or if they are using it
under the GPL license. Their web page
(http://www.apbroadcast.com/AP+Broadcast/Radio/Prep+Services/AP+News
Power.htm) certainly makes no mention of where to obtain the
source.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkZAk5YACgkQXsHJpAi2fRe4yQQAi6fDHuQRX0K8IW3Q4Th02D+EBxRM
JFGigWB7d6YsOkrwb2zCqpRwDKImoh/Y8OMZGVIoH4uwCAAYJzrRTPZh2I4xnrRFjtip
2kudDllCrlKor4XYuk9WOtJEOcHojZaczwOuNkLL2RsFE7uyTL8kAD3PiTsbxaPCVdZL
k3DZEb4=
=dVFH
-----END PGP SIGNATURE-----

--
Click here to refinance your mortgage. Low rates, approval in minutes.
http://tagline.hushmail.com/fc/CAaCXv1QYGKA65kmHH2830bl8uE0ZUIN/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus