search menu icon-carat-right cmu-wordmark

CERT Coordination Center

x_news allows unauthorized users to access administrative menu

Vulnerability Note VU#162723

Original Release Date: 2002-09-16 | Last Revised: 2002-12-10


x_news allows a user to authenticate without supplying the user's plaintext password.


x_news is a system for managing news. When a user logs in to x_news version 1.1 using a plaintext password, x_news hashes the password with MD5 and compares it to user's hash stored in the file named "db/users.txt". If they match, x_news sets a cookie that contains the username and the hashed password. On subsequent transactions, x_news will accept this cookie as valid authentication.

As a result, an attacker does not need to know a user's plaintext password. All that is needed is the user's MD5-hashed password, which can be found in the db/users.txt file.


Attackers can gain access to a user's account by using password data stored in a file, bypassing proper authentication by plaintext password.


The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information

162723 Unknown

Updated:  April 19, 2002



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to frog frog for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 3.60
Date Public: 2002-03-12
Date First Published: 2002-09-16
Date Last Updated: 2002-12-10 23:10 UTC
Document Revision: 8

Sponsored by CISA.