Providing an attacker already has administrative access to CuteNews, they can further execute commands on the underlying filesystem due to a failure in sanitizing user input.
6a5ed6ba76c3e63a7ea028579605a3aee91cac0e914caae19f6608597b9a0f0cThere is a vulnerability in the latest (and to the best of my
knowledge, all prior versions of) CuteNews from CutePHP.com.
CuteNews does not properly sanitize user input when an administrative
account edits the template files. CuteNews takes HTML code from a web
form and outputs it to a template file called <templatename>.tpl,
which contains PHP code similar to the following:
--snip--
<?PHP
$template_active = <<<HTML
[HTML template code]
HTML;
$template_full = <<<HTML
[HTML template code]
HTML;
?>
--snap--
By entering:
--snip--
HTML;
[PHP code]
$fake_template = <<<HTML
--snap--
as input to the template script, an administrative account can execute
PHP code, opening up possibilities such as executing shell commands on
the local system.
Admittedly, this is mitigated somewhat by the fact that administrative
access is required, but if an attacker has compromised an
administrative account, they can use this to escalate their
privileges.
John
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed