CuteNews Remote PHP Code injection Execution vulnerability

Source: Internet
Author: User
Tags php code
CuteNews is a powerful news management system that uses flat-file storage.
CuteNews there is a vulnerability in processing a user-submitted request parameter that a remote attacker could exploit to execute arbitrary commands on the host.
When the admin account edits the template file, CuteNews does not filter the user input correctly. CuteNews gets the HTML code from the Web form and prints it to the template file named <templatename>.tpl. The template file contains PHP code similar to the following:
--snip--
? Php
$template _active = <<[HTML Template Code]
HTML;
$template _full = <<[HTML Template Code]
HTML;
?>
--snap--
Enter the following template script:
--snip--
HTML;
[PHP Code]
$fake _template = <<--snap--
The admin account can execute the PHP code, resulting in the execution of shell commands on the local system.
<* Source: John Cantu (

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.