| VID |
21313 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The CuteNews is vulnerable to a Debug Query Information Disclosure Vulnerability.
CuteNews is a freely available PHP based news management system that uses flat files to store the database. The versions 1.3.1 of CuteNews could expose sensitive server configuration data to a remote attacker, caused by a implementation flaw that cause the PHP function phpinfo() to execute, returning sensitive information about the system, when requesting the "index.php" with the "debug" argument. By sending a specially-crafted URL as the following, a remote attacker could obtain sensitive information about the system, which could then be used by the attacker to launch further attacks against the affected system.
http://[target_server]/cutenews/index.php?debug
* References:
http://archives.neohapsis.com/archives/bugtraq/2003-11/0355.html
* Platforms Affected:
CutePHP CuteNews Any version
Microsoft Windows Any version
Unix, Linux Any version |
| Recommendation |
No upgrade or patch available as of July 2004. |
| Related URL |
(CVE) |
| Related URL |
9130 (SecurityFocus) |
| Related URL |
13868 (ISS) |
|
