Directory Traversal Vulnerability in CuteNews by CuteNews Team
CVE-2006-1339

Currently unrated

Key Information:

Vendor: CutePHP
Status: Cutenews
Vendor: CVE Published:; 21 March 2006

What is CVE-2006-1339?

A directory traversal vulnerability exists in the CuteNews application, specifically in the inc/functions.inc.php file, when register_globals is enabled. This security flaw allows remote attackers to exploit the application by crafting HTTP POST or COOKIE requests that include a .. (dot dot) sequence and a trailing NULL byte (%00) in the archive parameter. This bypasses the sanity check traditionally applied to GET requests, enabling unauthorized file inclusion that could lead to the exposure of sensitive information or further exploitation of the system.

References

http://secunia.com/advisories/19289

third-party-advisoryx_refsource_SECUNIA

http://www.securityfocus.com/bid/17152

vdb-entryx_refsource_BID

http://hamid.ir/security/cutenews.txt

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2006
Vulnerability Reserved
Mar 20, 2006

CutePHP

What is CVE-2006-1339?

References

Timeline