https://www.exploit-db.com/exploits/23863
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200403-089

NewsManagerLite2.5版本存在漏洞。远程攻击者通过在NEWS_LOGINcookie里设置ADMIN参数绕过验证并且获得管理员权限。

source: http://www.securityfocus.com/bid/9935/info
     
Multiple vulnerabilities have been identified in the application that may allow an attacker to carry out SQL injection, cross-site scripting, and account hijacking attacks.
     
The issues exist in the 'comment_add.asp', 'search.asp', 'category_news_headline.asp', 'more.asp', 'category_news.asp', and 'ews_sort.asp' scripts. Further more a cookie account hijacking issue was also discovered in the application that may allow a remote attacker to gain administrative access to application's administrative interface.
     
News Manager Lite 2.5 is reported to be affected by these issues, however, other versions may be affected as well.

Cookie: NEWS%5FLOGIN=ADMIN=1&ID=1

来源:BID
名称:9935
链接:http://www.securityfocus.com/bid/9935
来源:XF
名称:news-manager-admin-access(15550)
链接:http://xforce.iss.net/xforce/xfdb/15550
来源:SECTRACK
名称:1009507
链接:http://securitytracker.com/id?1009507
来源:SECUNIA
名称:11180
链接:http://secunia.com/advisories/11180
来源:BUGTRAQ
名称:20040322VulnerabilitiesinNewsManagerLite2.5&NewsManagerLiteadministration;
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107999733503496&w;=2