On Sunday 29 August 2004 10:39, e0r wrote:
> Date: August 29, 2004
> Vender: http://www.cutephp.com/
> Program: CuteNews
> Versions affected: => 1.3.6
> Bug: CuteNews News.txt writable to world
> Type:
> Author: e0r
> www: http://www.rootthief.com/
> team: !Sui-Generes (!Sui)
> Email: homicidal @ gmail . com
> -----------------------------
This is not realy a code vulnerability, the problem is in the documentation
where you can read:
"Now You must CHMOD the the directory cutenews/data/ and all files and
folders under the data/ directory must be also chmod'ed to 777"
You can do that without 777 permisions using some alternative methods;
setting directory group as apache user, or using apache suexec.
However CuteNews have some AUTHENTIC vulnerabilities.
- --
- -----------------------------------------------------------------------
Albert Puigsech Galicia
http://www.7a69ezine.org/~apuigsech
- -----------------------------------------------------------------------
Este e-mail puede contener información confidencial y/o privilegiada.
Si el presente mensaje no va dirigido a su persona (o lo ha recibido
por error) por favor, notifíquelo inmediatamente al emisor y destruya
este e-mail. Cualquier divulgación, copia o distribución no autorizada
del material contenido en este e-mail queda prohibida.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Hash: SHA1
On Sunday 29 August 2004 10:39, e0r wrote:
> Date: August 29, 2004
> Vender: http://www.cutephp.com/
> Program: CuteNews
> Versions affected: => 1.3.6
> Bug: CuteNews News.txt writable to world
> Type:
> Author: e0r
> www: http://www.rootthief.com/
> team: !Sui-Generes (!Sui)
> Email: homicidal @ gmail . com
> -----------------------------
This is not realy a code vulnerability, the problem is in the documentation
where you can read:
"Now You must CHMOD the the directory cutenews/data/ and all files and
folders under the data/ directory must be also chmod'ed to 777"
You can do that without 777 permisions using some alternative methods;
setting directory group as apache user, or using apache suexec.
However CuteNews have some AUTHENTIC vulnerabilities.
- --
- -----------------------------------------------------------------------
Albert Puigsech Galicia
http://www.7a69ezine.org/~apuigsech
- -----------------------------------------------------------------------
Este e-mail puede contener información confidencial y/o privilegiada.
Si el presente mensaje no va dirigido a su persona (o lo ha recibido
por error) por favor, notifíquelo inmediatamente al emisor y destruya
este e-mail. Cualquier divulgación, copia o distribución no autorizada
del material contenido en este e-mail queda prohibida.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBM670iLW5f5WBvGcRAqfiAJ9z/EuWShz9Zby5/HDznKN+jZk4zQCfRKqn
QDNQZX3iHoXV1U6DVx+NAkQ=
=yogr
-----END PGP SIGNATURE-----
[ reply ]