Family: CGI abuses --> Category: mixed
CuteNews Client-IP Header Code Injection Vulnerability Vulnerability Scan
Vulnerability Scan Summary
Checks for Client-IP header code injection vulnerability in CuteNews
Detailed Explanation for this Vulnerability Test
The remote web site contains a PHP script that allows for arbitrary
PHP code execution.
The version of CuteNews installed on the remote host fails to properly
sanitize the IP addresses of clients using the system before logging
them to a known file. A possible hacker can exploit this flaw to inject
arbitrary PHP code through a Client-IP request header and then execute
that code by requesting 'data/flood.db.php'.
See also :
Restrict access to CuteNews' data directory
eg, using a .htaccess
Medium / CVSS Base Score : 6
Click HERE for more information and discussions on this network vulnerability scan.