lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <35c5dc1f050601173911792879@mail.gmail.com>
Date: Wed, 1 Jun 2005 20:39:51 -0400
From: John Cantu <john.cantu@...il.com>
To: bugtraq@...urityfocus.com
Subject: PHP Execution Vulnerability in CuteNews


There is a vulnerability in the latest (and to the best of my
knowledge, all prior versions of) CuteNews from CutePHP.com.

CuteNews does not properly sanitize user input when an administrative
account edits the template files. CuteNews takes HTML code from a web
form and outputs it to a template file called <templatename>.tpl,
which contains PHP code similar to the following:

--snip--
<?PHP
$template_active = <<<HTML
[HTML template code]
HTML;
$template_full = <<<HTML
[HTML template code]
HTML;
?>
--snap--

By entering:

--snip--
HTML;
[PHP code]
$fake_template = <<<HTML
--snap--

as input to the template script, an administrative account can execute
PHP code, opening up possibilities such as executing shell commands on
the local system.

Admittedly, this is mitigated somewhat by the fact that administrative
access is required, but if an attacker has compromised an
administrative account, they can use this to escalate their
privileges.

John


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ