1. Home
  2. >>
  3. Latest
  4. >>
  5. ANSA.it closes some serious flaws

ANSA.it closes some serious flaws

ANSA.it closes some serious flaws

“Improvising yourself as an ANSA collaborator and freely circulating imaginary news around the Internet”. According to security expert Rosario Valotta this is what was possible, just a few days ago, by exploiting some weaknesses in the web-based publishing system of ansa.it, the site of the well-known Italian press agency.

In his blog Valotta explains that ANSA collaborators can insert their news in the agency’s publication system using two web applications. Before the site’s webmasters fixed the security holes, the user interface of these applications was accessible to anyone : to enter the news entry system it was necessary to authenticate, but this did not prevent Valotta from discovering that, by typing a certain URL, a log file was accessed containing information such as the news index and its author. Not without great amazement, the hacker discovered that some collaborators also use the username as a password : this also allowed unauthorized users to log into the system, view the news sent via the Internet by all journalists and even insert new ones .

“Most of the accounts listed on the viewlog.asp page have the same username as the passwords and both consist of 2-3 characters”, writes Valotta in his blog. “In the minds of the designers, authentication was designed with the intention of binding each collaborator to consult only the news sent by him. Too bad that authentication is one thing, authorization is another. The second (which I said) is… non-existent ”.

With a few tricks and a bit of luck, Valotta argues that an attacker could easily have overcome the control of any supervisors and to be able to publish a fake news : false but accredited by the major Italian press agency.

But that’s not all. Valotta also discovered an XSS reflective vulnerability which, according to him, allowed him to “take complete possession of the database by attacking the listener and alter accounts and data present”.

“This management model, combined with the total absence of adequate access control, is very serious”, commented the expert, who in an email sent to Punto Informatico also added: “What I have done requires almost no technical expertise. , but just a little bit of curiosity “.

Valotta makes it known that, following his notification, the managers of ansa.it they have already taken steps to close the weaknesses find.