CVE-2005-0647

paNews 2.0.4b - Remote Code Execution via admin_setup.php Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-0647. PoCs published by Silentium.

AI-analyzed exploit summary This exploit leverages SQL injection in paNews v2.0b4 to create a new admin user with a hardcoded password. It sends a crafted HTTP POST request to inject malicious SQL into the authentication process.

Description

admin_setup.php in paNews 2.0.4b allows remote attackers to inject arbitrary PHP code via the (1) $form[comments] or (2) $form[autoapprove] parameters, which are written to config.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Silentium · cwebappsphp

https://www.exploit-db.com/exploits/866

View Code ZIP pw:eip

This exploit leverages SQL injection in paNews v2.0b4 to create a new admin user with a hardcoded password. It sends a crafted HTTP POST request to inject malicious SQL into the authentication process.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: paNews v2.0b4

No auth needed

Prerequisites: network access to the target web server · paNews v2.0b4 installation with default or vulnerable configuration

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources x_refsource_misc

http://www.kernelpanik.org/docs/kernelpanik/panews.txt

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=110969774502370&w=2

Scores

EPSS 0.0415

EPSS Percentile 89.5%

Details

Status published

Products (1)

php_arena/panews 2.0.4b

Published May 02, 2005

Tracked Since Feb 18, 2026