Topic: [BUG][EXPLOIT] Users.db.php in search
Name: Disclosure of user database in search.php
Reported by: Stephan (via e-mail)
Author of fix: (lKj)
CuteNews Compatibility: 1.3.6 - * (no incompatibility reported yet) and UTF-8 CuteNews 1 - 8b (downloaded prior to Mar 13th 2010)
Description: If search.php is included on a page where show_news.php or show_archives.php has already been included, the whole contents of the user database will be shown in the Author field.
This issue has been fixed in UTF-8 CuteNews 8b as of March 13th 2010. Users who already have UTF-8 CuteNews 8b installed only have to overwrite show_news.php, show_archives.php and search.php from the new .zip at the UTF-8 <acronym title='CuteNews'>CN</acronym> project page.
Instructions:
In show_news.php, find:
unset($static, $template, $requested_cats, $category, $catid, $cat,$reverse, $in_use, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives);
Replace with:
unset($static, $template, $requested_cats, $category, $catid, $cat,$reverse, $in_use, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives, $user);
In show_archive.php, find:
unset($template, $requested_cats, $reverse, $in_use, $archive, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives);
Replace with:
unset($template, $requested_cats, $reverse, $in_use, $archive, $archives_arr, $number, $no_prev, $no_next, $i, $showed, $prev, $used_archives, $user);
If you are using CuteNews 1.4.6, find in search.php:
// Define Users
$all_users = file("$cutepath/data/users.db.php");
If you are using UTF-8 CuteNews, find:
$story = utf8_htmlentities($story);
$title = utf8_htmlentities($title);
Add below:
if(!isset($user) && isset($_GET['user'])){
$user = htmlentities($_GET['user']);
}
Upload those three files, check that the fix is successful and you're set .