system/message.php in Admin News Tools 2.5 does not properly restrict access, which allows remote attackers to post news messages via a direct request.