MD News latest.php configfile Variable Remote File Inclusion

2006-06-13T16:29:08
ID OSVDB:27672
Type osvdb
Reporter SpC-x(spc-x@bsdmail.org)
Modified 2006-06-13T16:29:08

Description

Vulnerability Description

MD News has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the latest.php script not properly sanitizing user input supplied to the 'configfile' variable. However, subsequent evaluation shows that the variable is set to a static value by config.php, making it impossible for a remote attacker to manipulate data passed to the program.

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

MD News has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the latest.php script not properly sanitizing user input supplied to the 'configfile' variable. However, subsequent evaluation shows that the variable is set to a static value by config.php, making it impossible for a remote attacker to manipulate data passed to the program.

Manual Testing Notes

http://[target]/MD News/latest.php?configfile=Command-Shell

References:

Vendor URL: http://www.matthewdingley.co.uk/downloads_scripts.php#news Other Advisory URL: http://www.root-security.org/danger/MDNews.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0242.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0267.html