CuteNews show.inc.php Direct Request Path Disclosure

2006-05-04T06:47:39
ID OSVDB:25305
Type osvdb
Reporter k4p0(k4p0k4p0@hotmail.com)
Modified 2006-05-04T06:47:39

Description

Vulnerability Description

CuteNews contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the inc/show.inc.php script is directly requested, which will disclose the installation path resulting in a loss of confidentiality.

Solution Description

Upgrade to version 1.4.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

CuteNews contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the inc/show.inc.php script is directly requested, which will disclose the installation path resulting in a loss of confidentiality.

Manual Testing Notes

http://[target]/cutenews/inc/show.inc.php

References:

Vendor URL: http://www.cutephp.com/ Related OSVDB ID: 25304 Related OSVDB ID: 25306 Other Advisory URL: http://neosecurityteam.net/index.php?action=advisories&id=21 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0091.html Keyword: [N]eo [S]ecurity [T]eam [NST]® Advisory #20 CVE-2006-2250