AOH :: HP Unsorted C :: B06-2026.HTM

Cutenews 1.4.1 multiple vulnerabilities



CuteNews 1.4.1 Multiple vulnerabilities
CuteNews 1.4.1 Multiple vulnerabilities



/*
---------------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]=AE Advisory #20
---------------------------------------------------------------
Program : CuteNews 1.4.1
Homepage: http://www.cutephp.com
Vulnerable Versions: CuteNews 1.4.1 & lower ones
Risk: Medium!
Impact: Cross Site Scripting, Full Path Disclosure

-> CuteNews 1.4.1 Multiple vulnerabilities <-
---------------------------------------------------------------

- Description
---------------------------------------------------------------
Cute news is a powerful and easy for using news management system
that use flat files to store its database. It supports comments and
archives that can be organized by months.

- Tested
---------------------------------------------------------------
Tested in localhost & many remote CuteNews

- Bug
---------------------------------------------------------------
1 - [ Cross Site Scripting ]
There're serveral XSS bugs in 'search.php' file, this is caused because
the script doesn't filter right three _GET variables that're used in
some fields of the web page.

To be short, here is the vulnerable code:

News