CuteNews contains a flaw in the comments.php script that may allow an attacker to execute arbitrary PHP code on the affected webserver. The issue is triggered when an attacker passes the URL of a malicious PHP script to the $cutepath variable from a web browser. It is possible that the flaw may allow execution of arbitrary code with the privileges of the target web server, resulting in a loss of integrity.

Upgrade to version 1.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1006173
• ISS X-Force ID: 11417
• CVE ID: 2003-1240 (see also: NVD)
• Related OSVDB ID: 5957 6051
• Bugtraq ID: 6935
• Secunia Advisory ID: 8154
• Vendor URL: http://air.langame.net/
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-02/0320.html
• Other Advisory URL: http://marc.theaimsgroup.com/?l=bugtraq&m=104619051400775&w=2

• Over G - overgmail.ru -
• VenoM - VenoM88mail.ru -