[BUG][EXPLOIT] Users.db.php in search Options

[(lKj)]

Name: Disclosure of user database in search.php
Reported by: Stephan (via e-mail)
Author of fix: (lKj)
CuteNews Compatibility: 1.3.6 - * (no incompatibility reported yet) and UTF-8 CuteNews 1 - 8b (downloaded prior to Mar 13th 2010)
Description: If search.php is included on a page where show_news.php or show_archives.php has already been included, the whole contents of the user database will be shown in the Author field.
This issue has been fixed in UTF-8 CuteNews 8b as of March 13th 2010. Users who already have UTF-8 CuteNews 8b installed only have to overwrite show_news.php, show_archives.php and search.php from the new .zip at the UTF-8 CN project page.

Instructions:
In show_news.php, find:

CODE

unset($static, $template, $requested_cats, $category, $catid, $cat,$reverse, $in_use, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives);

Replace with:

CODE

unset($static, $template, $requested_cats, $category, $catid, $cat,$reverse, $in_use, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives, $user);

In show_archive.php, find:

CODE

unset($template, $requested_cats, $reverse, $in_use, $archive, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives);

Replace with:

CODE

unset($template, $requested_cats, $reverse, $in_use, $archive, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives, $user);

If you are using CuteNews 1.4.6, find in search.php:

CODE

// Define Users
$all_users = file("$cutepath/data/users.db.php");

If you are using UTF-8 CuteNews, find:

CODE

$story = utf8_htmlentities($story);
$title = utf8_htmlentities($title);

Add below:

CODE

if(!isset($user) && isset($_GET['user'])){
$user = htmlentities($_GET['user']);
}

Upload those three files, check that the fix is successful and you're set .