Vulnerability Description
PHP remote file inclusion vulnerability in CzarNews 1.13b allows remote attackers to execute arbitrary PHP code via the tpath parameter to (1) headlines.php or (2) news.php. NOTE: some sources have reported the "dir" parameter as being affected; however, this is likely a cut-and-paste error from the wrong section of the original vulnerability report. Also, the news.php version was later reported to be in 1.12 through 1.14.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Czaries Network | Czarnews | 1.13b |
References
- http://secunia.com/advisories/14670PatchVendor Advisory
- http://securitytracker.com/id?1013486
- http://www.osvdb.org/14925
- http://www.osvdb.org/14926
- http://www.securityfocus.com/bid/12857
- http://www.securityfocus.com/bid/18411
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19765
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27733
- https://www.exploit-db.com/exploits/2009
- http://secunia.com/advisories/14670PatchVendor Advisory
- http://securitytracker.com/id?1013486
- http://www.osvdb.org/14925
- http://www.osvdb.org/14926
- http://www.securityfocus.com/bid/12857
- http://www.securityfocus.com/bid/18411
FAQ
What is CVE-2005-0859?
CVE-2005-0859 is a vulnerability with a CVSS score of 7.5 (HIGH). PHP remote file inclusion vulnerability in CzarNews 1.13b allows remote attackers to execute arbitrary PHP code via the tpath parameter to (1) headlines.php or (2) news.php. NOTE: some sources have r...
How severe is CVE-2005-0859?
CVE-2005-0859 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2005-0859?
Check the references section above for vendor advisories and patch information. Affected products include: Czaries Network Czarnews.