|
|
| |
| CuteNews is "a powerful and easy for using news management system that use flat files to store its database". A vulnerability in the product allows remote attacker to disclosue sensitive information about the computer and enviroment the product is installed under. |
| |
Credit:
The information has been provided by Arnaud Jacques aka scrap.
|
| |
Vulnerable systems:
* CuteNews version 1.3
* CuteNews version 1.2 and prior
Vulnerable code:
In the file index.php, a condition can be made to execute the PHP function phpinfo(); Here is the interesting lines:
if($HTTP_SERVER_VARS['QUERY_STRING'] == "debug"){ debug(); } ... function debug(){
global $config_version_name, $config_version_id, $config_http_script_dir;
echo"<center><b>CuteNews Debug Information:</b><hr><br>";
echo"Script Version/ID: $config_version_name / $config_version_id<br>";
echo"\$config_http_script_dir: $config_http_script_dir<br><BR>";
echo"<hr>";
phpinfo();
exit();
}
Exploit:
By requesting a URL such as http://victim.com/cutenews/index.php?debug, the content of the phpinfo() function will be returned instead of the normal index page.
|
|
|
