|
|
Family: CGI abuses --> Category: mixed
CuteNews Client-IP Header Code Injection Vulnerability Vulnerability Scan
Vulnerability Scan Summary
Checks for Client-IP header code injection vulnerability in CuteNews
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web site contains a PHP script that allows for arbitrary
PHP code execution.
Description :
The version of CuteNews installed on the remote host fails to properly
sanitize the IP addresses of clients using the system before logging
them to a known file. A possible hacker can exploit this flaw to inject
arbitrary PHP code through a Client-IP request header and then execute
that code by requesting 'data/flood.db.php'.
See also :
http://retrogod.altervista.org/cutenews140.html
Solution :
Restrict access to CuteNews' data directory
eg, using a .htaccess
file.
Threat Level:
Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
