Article Topic Learning Download Q&A Programming Dictionary Game Recent Updates

简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)

Home > Backend Development > PHP Tutorial > body text

CuteNews远程PHP代码注入执行漏洞_PHP

WBOY

Release： 2016-06-01 12:25:34

Original

1524 people have browsed it

Cutenews是一款功能强大的新闻管理系统，使用平坦式文件存储。

Cutenews在处理用户提交的请求参数时存在漏洞，远程攻击者可能利用此漏洞在主机上执行任意命令。

在管理帐号编辑模板文件的时候，CuteNews不能正确的过滤用户输入。CuteNews从Web表单中获取HTML代码并将其输出到名为.tpl的模板文件中。该模板文件包含有类似以下的PHP代码：

--snip--
$template_active = [HTML template code]
HTML;
$template_full = [HTML template code]
HTML;
?>
--snap--

输入以下模板脚本：

--snip--
HTML;
[PHP code]
$fake_template = --snap--

管理帐号就可以执行PHP代码，导致在本地系统执行shell命令。

Jeian@myrealbox.com）

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=111773528322711&w=2
*>

建议：

厂商补丁：

CutePHP
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

www.CutePHP.com.

Related labels：

html php code implement document template injection loopholes Remotely

source：php.cn

Previous article：两种Discuz网站漏洞的入侵方法_PHP Next article：Discuz插件漏洞攻击_PHP

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Latest Articles by Author

What is a NullPointerException, and how do I fix it?

2024-10-22 09:46:29
From Novice to Coder: Your Journey Begins with C Fundamentals

2024-10-13 13:53:41
Unlocking Web Development with PHP: A Beginner's Guide

2024-10-12 12:15:51
Demystifying C: A Clear and Simple Path for New Programmers

2024-10-11 22:47:31
Unlock Your Coding Potential: C Programming for Absolute Beginners

2024-10-11 19:36:51
Unleash Your Inner Programmer: C for Absolute Beginners

2024-10-11 15:50:41
Automate Your Life with C: Scripts and Tools for Beginners

2024-10-11 15:07:41
PHP Made Easy: Your First Steps in Web Development

2024-10-11 14:21:21
Build Anything with Python: A Beginner's Guide to Unleashing Your Creativity

2024-10-11 12:59:11
The Key to Coding: Unlocking the Power of Python for Beginners

2024-10-11 12:17:31

Latest Issues

function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...

From 2024-04-29 11:01:01

0

2

1787

How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?

From 2024-04-23 00:22:19

0

10

1929

The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.

From 2024-04-19 15:37:47

0

1

1641

There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...

From 2024-04-18 23:52:34

0

1

1549

Where is the courseware about CSS mind mapping? Courseware

From 2024-04-16 10:10:18

0

0

1582

Related Topics

More>

Popular Recommendations

Popular Tutorials

More>

Related Tutorials

Popular Recommendations

Latest courses

Latest Downloads

More>

Web Effects

Website Source Code

Website Materials

Front End Template

About us Disclaimer Sitemap: php.cn：Public welfare online PHP training，Help PHP learners grow quickly！