http://www.swp-zone.org/archivos/advisory-06.txt ------------------------------------------------------------------------------------------------- :.: Cross-Site Scripting CuteNews :.: PROGRAM: CuteNews HOMEPAGE: http://cutephp.com/ VERSION: v1.3.1 BUG: Cross-Site Scripting DATE: 23/05/2004 AUTHOR: DarkBicho web: http://www.darkbicho.tk team: Security Wari Proyects Email: darkbicho@peru.com ------------------------------------------------------------------------------------------------- 1.- Affected software description: ----------------------------- CuteNews is a popular News Publishing, written in php by CutePHP. 2.- Vulnerabilities: --------------- A. Cross-Site Scripting aka XSS: :.: In Id : http://attacker/show_archives.php?subaction=showcomments&id=&archive=&start_from=&ucat=&&archive=&start_from=&ucat=& http://attacker/show_news.php?subaction=showcomments&id=&archive=&start_from=&ucat=& http://attacker/example1.php?subaction=showfull&id= http://attacker/example2.php?subaction=showfull&id= 3.- SOLUTION: จจจจจจจจ Vendors were contacted many weeks ago and plan to release a fixed version soon. Check the CuteNews website for updates and official release details. 4.- Greetings: --------- greetings to my Peruvian group swp and perunderforce :D "EL PISCO ES Y SERA PERUANO" 5.- Contact ------- WEB: http://www.darkbicho.tk EMAIL: darkbicho@peru.com ------------------------------------------------------------------------------------------------- ___________ ____________ / _____/ \ / \______ \ \_____ \\ \/\/ /| ___/ / \\ / | | /_______ / \__/\ / |____| \/ \/ Security Wari Projects (c) 2002 - 2004 Made in Peru ----------------------------------------[ EOF ]---------------------------------------------- DarkBicho Web: http://www.darkbicho.tk "Mi unico delito es ver lo que otros no pueden ver" ---------------------- The End ----------------------