Title: CutePHP CuteNews Flood Protection Client-IP PHP Code Injection Vulnerability
Severity: HIGH
Description:
CuteNews is a news management system that is implemented in PHP and maintained by CutePHP.
CutePHP CuteNews is prone to a vulnerability that may let remote attackers inject PHP and execute PHP code. This is due to an input validation error that lets remote users inject PHP code into a temporary file (flood.db.php) used by the flood protection feature of the application. Flood protection is implemented in the 'shows.inc.php' script.
The cause of the issue is that user-supplied data in the form of the 'Client-Ip' will be logged to 'flood.db.php'. This data is not adequately sanitized, making it possible to inject PHP into the file.
Once code has been injected, it is then possible to call the 'flood.db.php' script to execute the malicious code.
Exploitation could allow for remote execution of PHP code in the context of the server hosting the application.
This issue is reported to affected CuteNews 1.4.0. Other versions may also be affected.
Affected Products:
- CutePHP CuteNews 1.4.0.0
References:
- CutePHP: CuteNews Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
