1 (edited by 2010-03-14 15:31:17)

Topic: [BUG][EXPLOIT] Users.db.php in search

Name: Disclosure of user database in search.php
Reported by: Stephan (via e-mail)
Author of fix: (lKj)
CuteNews Compatibility: 1.3.6 - * (no incompatibility reported yet) and UTF-8 CuteNews 1 - 8b (downloaded prior to Mar 13th 2010)
Description: If search.php is included on a page where show_news.php or show_archives.php has already been included, the whole contents of the user database will be shown in the Author field.
This issue has been fixed in UTF-8 CuteNews 8b as of March 13th 2010. Users who already have UTF-8 CuteNews 8b installed only have to overwrite show_news.php, show_archives.php and search.php from the new .zip at the UTF-8 <acronym title='CuteNews'>CN</acronym> project page.

In show_news.php, find:

unset($static, $template, $requested_cats, $category, $catid, $cat,$reverse, $in_use, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives);

Replace with:

unset($static, $template, $requested_cats, $category, $catid, $cat,$reverse, $in_use, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives, $user);

In show_archive.php, find:

unset($template, $requested_cats, $reverse, $in_use, $archive, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives);

Replace with:

unset($template, $requested_cats, $reverse, $in_use, $archive, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives, $user);

If you are using CuteNews 1.4.6, find in search.php:

// Define Users
$all_users = file("$cutepath/data/users.db.php");

If you are using UTF-8 CuteNews, find:

$story = utf8_htmlentities($story);
$title = utf8_htmlentities($title);

Add below:

if(!isset($user) && isset($_GET['user'])){
 $user = htmlentities($_GET['user']);

Upload those three files, check that the fix is successful and you're set http://cutephp.com/forum/style_emoticons/default/smile.gif.