Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CuteNews <= 1.4.1 Directory Traversal Arbitrary File Access

Medium

Synopsis

The remote host is running a version of CuteNews that allows an attacker to upload or download files outside of the web root directory.

Description

According to its version number, the remote host is running a version of CuteNews that allows an attacker to upload or download files outside of the web root directory. This can lead to an attack against both confidentiality and integrity. An attacker exploiting this flaw would simply send a malformed request including a '../' in the request. Successful exploitation leads to writing or reading arbitrary files outside of the web root.

Solution

Upgrade to a version of CuteNews higher than 1.4.1.