# Exploit Title: RSS News AutoPilot Script - Admin Panel Authentication Bypass # Date: 14 October 2016 # Exploit Author: Arbin Godar # Website : ArbinGodar.com # Software Link: https://codecanyon.net/item/rss-news-autopilot-script/11812898 # Version: 1.0.1 to 3.1.0 ------------------------------------------------------------------------------- Description: An Attackers are able to completely takeover the web application using RSS News - AutoPilot Script as they can gain access to the admin panel and manage the website as an admin. Steps to Reproduce: Step 1: Add: http://victim-site.com/admin/login.php in a rule list on No-Redirect Extension. Step 2: Access: http://victim-site.com/admin/index.php Step 3: Bypassed. PoC Video: https://www.youtube.com/watch?v=jldF-IPgkds Impact: Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the web application. Fix/Patch: Make use of PHP exit() or die() function. / Update to latest version.