| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Jun 2005 20:39:51 -0400 From: John Cantu <john.cantu@...il.com> To: bugtraq@...urityfocus.com Subject: PHP Execution Vulnerability in CuteNews There is a vulnerability in the latest (and to the best of my knowledge, all prior versions of) CuteNews from CutePHP.com. CuteNews does not properly sanitize user input when an administrative account edits the template files. CuteNews takes HTML code from a web form and outputs it to a template file called <templatename>.tpl, which contains PHP code similar to the following: --snip-- <?PHP $template_active = <<<HTML [HTML template code] HTML; $template_full = <<<HTML [HTML template code] HTML; ?> --snap-- By entering: --snip-- HTML; [PHP code] $fake_template = <<<HTML --snap-- as input to the template script, an administrative account can execute PHP code, opening up possibilities such as executing shell commands on the local system. Admittedly, this is mitigated somewhat by the fact that administrative access is required, but if an attacker has compromised an administrative account, they can use this to escalate their privileges. John
Powered by blists - more mailing lists