lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 2 Jun 2003 20:37:40 +0200
From: "FraMe" <frame@...palab.com>
To: <bugtraq@...urityfocus.com>
Subject: b2 cafelog: remote command execution, sql injection and another flaw.


Products:    b2 cafelog 0.6.1 with ljupdate
                  b2 cafelog 0.6.2 and prior
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. Details.
4. Vendor Response

1. Overview.

b2 is a news/weblog tool written in php. b2 uses MySQL as backend system.

2. Description.

"b2 0.6.1 with ljupdate" allow remote command execution in
./b2-include/b2functions.php. A malicious user can inject an url in $b2inc,
and obtain command execution with web server privileges ( usually nobody ).

"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isnĀ“t
convert to integer, so we can inject a sql in this variable. In MySQL 4.x
UNION and subselects can be used to obtain privileges.

"b2 0.6.2 and prior" has a little flaw. Bored users can force server to read
a remote file using $b2inc in ./b2-include/b2menutop.php

3. Details

b2 0.6.1 with ljupdate.
from ./b2-include/b2functions.php:
=======================
<?php
(..)
require_once($b2inc."/lj_update.php");
?>
=======================

b2 0.6.2 and prior
from ./blog.header.php:
=======================
<?php
(..)
if ($posts)
 $posts_per_page=$posts;
(..)
$limits = ' LIMIT '.$posts_per_page;
(..)
$request = " SELECT $distinct * FROM $tableposts WHERE 1=1".$where." ORDER
BY post_$orderby $limits";
(..)
$result = mysql_query($request);
?>
=======================

b2 0.6.2 and prior
from ./b2-include/b2menutop.php:
=======================
<?php
(..)
$menu = file($b2inc."/b2menutop.txt");
(..)
?>

4. Vendor Response

20-04-2003: Sent email to vendor.
31-05-2003: No response.

==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ