Home >Backend Development >PHP Tutorial >CuteNews Remote PHP Code Injection Execution Vulnerability_PHP Tutorial

CuteNews Remote PHP Code Injection Execution Vulnerability_PHP Tutorial

WBOY
WBOYOriginal
2016-07-13 17:08:581251browse

Cutenews is a powerful news management system that uses flat file storage.
Cutenews has a vulnerability when processing request parameters submitted by users. A remote attacker may exploit this vulnerability to execute arbitrary commands on the host.
When managing accounts and editing template files, CuteNews cannot correctly filter user input. CuteNews takes the HTML code from the web form and outputs it into a template file named .tpl. The template file contains PHP code similar to the following:
--snip--
$template_active = <<[HTML template code]
HTML;
$template_full = <<[HTML template code]
HTML;
?>
--snap--
Enter the following template script:
--snip--
HTML;
[PHP code]
$fake_template = <<--snap--
Manage the account to execute PHP Code that causes a shell command to be executed on the local system.
<*Source: John Cantu (

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629809.htmlTechArticleCutenews is a powerful news management system that uses flat file storage. There is a vulnerability in Cutenews when processing request parameters submitted by users. A remote attacker may exploit this vulnerability to...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn