AshWebStudio AshNews远程文件列入漏洞

Derek Ashauer ashNews 0.83版本存在PHP远程文件列入漏洞。远程攻击者借助(1)ashnews.php和(2)ashheadlines.php中pathtoashnews参数的URL执行任意远程文件。

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com .
@securityfocus.commailto:vuldb@securityfocus.com>

来源: BID
名称: 18248
链接:http://www.securityfocus.com/bid/18248

来源: BID
名称: 16436
链接:http://www.securityfocus.com/bid/16436

来源: BUGTRAQ
名称: 20030720 sorry, wrong file
链接:http://www.securityfocus.com/archive/1/329910

来源: MILW0RM
名称: 1864
链接:http://www.milw0rm.com/exploits/1864

来源: SECUNIA
名称: 9331
链接:http://secunia.com/advisories/9331

来源: forums.ashwebstudio.com
链接:http://forums.ashwebstudio.com/viewtopic.php?t=353&start=0

来源: FULLDISC
名称: 20060131 Re: ashnews Cross-Site Scripting Vulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0980.html

来源: FULLDISC
名称: 20060131 Re: ashnews Cross-Site Scripting Vulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0979.html

来源: FULLDISC
名称: 20060130 Re: ashnews Cross-Site Scripting Vulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0969.html