CVE-2005-3010 Information

Description

Direct static code injection vulnerability in the flood protection feature in inc/shows.inc.php in CuteNews 1.4.0 and earlier allows remote attackers to execute arbitrary PHP code via the HTTP_CLIENT_IP header (Client-Ip) which is injected into data/flood.db.php.

Reference

http://securityreason.com/securityalert/14 http://www.securityfocus.com/archive/1/411057 http://www.securityfocus.com/bid/14869