[原文]Directory traversal vulnerability in the comments action in easyNews 1.5 and earlier allows remote attackers to modify news.dat, template.dat and possibly other files via a ".." in the cid parameter.
Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org .
EasyNews is a free, open-source script for displaying news stories on a website.
EasyNews is prone to a vulnerability which may allow a remote attacker to modify information in its Newsdatabase. As a result, a remote attacker may post unmoderated comments or possibly modify information in the templates used by EasyNews.
This may be exploited via a specially crafted web request.
Earlier versions may also be vulnerable.