IndyNews - PhpNuke module: several problems

[Elisa Manara <e () entropika net>]

IndyNews is a PhpNuke add-on that allows users to include media files 
(images, documents and so on) to articles.
While I was playing with the module, I've found several problems.

1) function delMediaFile()

Anybody is able to delete any media attached to already approved articles.

2) function manageMedia()

* Anybody can delete any file owned by the user that runs the php script.

* Manipulating the cookie, you can modify the path of the uploaded files, so
they can be saved wherever you want (into a directory writable by the process owner)

3) function editMediaDescr() and editMediaTempDescr()
Anybody can edit the description of a media attached to an approved or pendent 
article.
Since the file description is showed through the HTML alt="" attribute, and no
check is performed on its contents, it is possible to alter totally the layout
of an article, so as inserting whatever link, image, javascript code, ans so on...

There could be some others bugs, without my knowing, since I've not audited
the entire code.
I contacted the module's author and he has provided a patch available here:
http://www.bergamoblog.it/modules.php?name=Downloads&d_op=getit&lid=4

I'm not responsible of the possible permancence of those bugs even though 
the new release - I have no time to check it.
However, the upgrade is strongly encouraged.

Regards,
Elisa.

-- 
 Elisa Manara                 http://www.entropika.net
 Sed Software Consortium      info (at) sed-consortium.com